• Andrew (unregistered)

    Oh I hope he called you on a cell phone, and it was auto dialed. If a computer dials your cell for solicitaion reasons, that operator owes you $500.

  • Henrik (unregistered)

    I love how you didn't even bother anonymizing it.

  • Kal (unregistered)

    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

  • jtl (unregistered)

    I love that the site is still the same.

  • Chris (unregistered)

    These guys called and gave me a similar sales pitch - didn't want to tell the price until after they had my card number. Not a good sign. I wrote it off as just another scam and didn't think any further.

    It seems that even after chastising you for hacking their site, they haven't done anything about it - the same username and password still work. Hurrah for "secure" websites!

  • snoofle (cs) in reply to Kal
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

  • sweavo (unregistered) in reply to snoofle
    snoofle:
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)

  • Alan (unregistered) in reply to Kal
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

    Oh well, I hear Cuba is lovely this time of year. Uzbekistan not so much.

  • jtl (unregistered) in reply to sweavo

    Did that guy who cracked the iPhone go to jail?

    No.

  • snoofle (cs) in reply to sweavo
    sweavo:
    snoofle:
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)

    Sadly, you are probably right. However, I personally would be willing to send a donation to help pay Alex's legal bills!
  • RogL (unregistered)

    Surprised nobody has commented on the real WTF:

    It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

    You don't need the username/password if you have the URL to the page; it opens right up.

  • m (unregistered) in reply to RogL

    Indeed. In fact, this WTF is like one of those super-interactive alternate reality games, y'know.

    SECURE Federal stuff ftw!

  • Staszek (unregistered)

    That is a very frequent scam, just next to "Nigerian Connection" - the one where some Nigerian officials ask you for help transferring huge amounts of money.

    They ask you for a credit card number and fax a document, where you agree not only to pay insane amount of money for being listed on a sheet of paper in somebody's drawer, but in very tiny letters you also agree to be charged yearly.

    You can decline, of course, sending a notice into an address that is non-valid (surprisingly). Of course, since you cannot deliver decline notice, they shall charge you next year...

  • gabba (cs)

    The real WTF is the hopelessly confusing indentation in the javascript.

  • snoofle (cs) in reply to RogL
    RogL:
    Surprised nobody has commented on the real WTF:

    It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

    You don't need the username/password if you have the URL to the page; it opens right up.

    True. If you open the page, and click on New York, the first item comes up with:

    From the list below, select the product(s) that you are searching for to obtain information on small businesses located in your selected area

    10.) Weapons <-- first choice

  • bd (unregistered)

    FWIW, I've just added their secure page into Google. Maybe those poor sods who shelled out for listing will finally get a call from some prospective client.

  • Lysis (cs)

    Now THAT'S some l33t h4x0ring!

    Edit: The Page.Title of the "secure" web page even says "SECURE" (caps included). That made me rofl.

  • Jamie (unregistered)

    This'll get deleted again as soon as you see it, but you have made yet another mistake:

    "a deluge of companies somehow manage to find to out"

    Do you actually read what you're about to post?

  • bd (unregistered)
    Comment held for moderation.
  • AbbydonKrafts (cs)

    Awesome. Reminds me of when my mom fell for the Who's Who crap in the early 90s when I was in high school. I'm embarrassed that I'm in it.

  • akatherder (cs) in reply to Staszek
    Staszek:
    That is a very frequent scam, just next to "Nigerian Connection" - the one where some Nigerian officials ask you for help transferring huge amounts of money.

    They ask you for a credit card number and fax a document, where you agree not only to pay insane amount of money for being listed on a sheet of paper in somebody's drawer, but in very tiny letters you also agree to be charged yearly.

    You can decline, of course, sending a notice into an address that is non-valid (surprisingly). Of course, since you cannot deliver decline notice, they shall charge you next year...

    And don't forget the fine-print also says you agree not to request a charge-back from your credit card company, punishable by a sizable fine paid to the scammer (who has your cc#).

  • John (unregistered) in reply to sweavo
    sweavo:
    snoofle:
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)

    The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

    The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too. There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

    Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.

  • stephane (unregistered)
    Comment held for moderation.
  • DeLos (cs)

    Wow. this is an amazing opportunity. Please give me the Phone number so I can sign up. Government agencies spend A LOT of money!

  • Herohtar (unregistered)

    Hah, I just hacked their site too! I am so awesome.

  • Edss (unregistered)

    Can someone in the US call their toll free customer support and request a password reset? Then when we "hack" the site again someone else can call.

    These people need as much hassle as we can give them.

  • what's the red star for? (unregistered) in reply to Kal
    Comment held for moderation.
  • Rawr (unregistered) in reply to Herohtar

    Haha, I just had to see for myself. Hilarious..

  • Jazz (unregistered)

    My new business plan:

    1. Start contacting companies in the directory.
    2. Let them know that you discovered their information on the federal supplier's guide.
    3. Tell them that the security on the site can be easily bypassed.
    4. Explain that this allows lots of people who are not Federal Procurement Peons to see their company's listing.
    5. Explain that this is really good for their exposure and will lead to lots of new business.
    6. Let them know that for the small, nominal fee of $5,000, you will post instructions on how to access the directory all over the web, in order to give them that exposure.
    7. Profit!
  • Whitey (unregistered) in reply to John
    John:
    sweavo:
    snoofle:
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)

    The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

    The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too. There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

    Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.

    To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.

    I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed.

  • The Usual Dosage (unregistered)
    Comment held for moderation.
  • jpaull (cs)

    I found another WTF (at least on IE7). If you start from the home page and click on the "Agents" link, the "Federal Regulations" tab on the menu bar splits into two tabs. It doesn't even split on the whitespace but on the R and E in regulations.

    Nice!

  • real_aardvark (cs) in reply to Chris
    Chris:
    These guys called and gave me a similar sales pitch - didn't want to tell the price until after they had my card number. Not a good sign. I wrote it off as just another scam and didn't think any further.

    It seems that even after chastising you for hacking their site, they haven't done anything about it - the same username and password still work. Hurrah for "secure" websites!

    We'd like to think that these weird "directory" services have been superseded by the intertubes, wouldn't we? Oh well. It'll happen when HR freezes over.

    You're making a few assumptions here, aren't you?

    You're assuming that the salesperp gives a shit and will pass the info on. (Actually, you're even assuming that the salesperp has the slightest idea of what Alex is talking about.) This never happens.

    You're assuming that the boiler-room scam in question has any sort of IT staff whatsoever (down to and not excluding a janitor with basic Front Page skillz). This never happens.

    You're assuming that, in lieu of that, they've employed a smart(ish) fourteen year old, payable in M&Ms and/or porn, to produce this cute little snippet. Well, this probably does happen, and more than we'd care to think. Unfortunately, school vacation is over.

    The alternative is outsourcing, and I await the usual torrent of whines with trepidation. A fix would still be twelve hours away, though. And we'd all like to see it go through QA before being deployed on production, wouldn't we?

  • WhiskeyJack (cs) in reply to Whitey
    Whitey:
    To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.

    Actually I think it'd be more like a sign saying "There is no key under the mat that unlocks this door!"

  • DC (unregistered)

    Like the fact that you can go straight to the URL too (hidden inside the if), not only are the password and username there for all to see.

  • medialint (cs) in reply to DC
    DC:
    Like the fact that you can go straight to the URL too (hidden inside the if), not only are the password and username there for all to see.

    That's the first thing I did ...

    http://officers.federalsuppliers.com/agents.html

  • German B. (unregistered)

    I would be surprised and utterly disappointed if that crappy site would be considered to be "protected" and if their accusation of hacking would be legally viable. All HTML, CSS and Javascript on the web is visible by definition. Nobody is guilty for peeking at page source. What WTF developers expose to the client, they do at their own risk. This doesn't even qualify as obfuscation. The URL is visible and no authentication whatsoever is required to access its contents. There is only a false security facade. Their claim of SECURITY is a blatant lie and their customers should do something about it. WTF !!!!!!

  • Danny V (unregistered)

    ROFLMAOSOAOIJNLOL!!!! Ahhh... that site's so secure that nobody accesses it except hackers!

  • Izzy (unregistered) in reply to The Usual Dosage
    Comment held for moderation.
  • Yep (unregistered)

    Everyone is missing the real WTF.

    That page uses frames.

  • Vempele (unregistered) in reply to gabba
    gabba:
    The real WTFsecurity is the hopelessly confusing indentation in the javascript.
    And brillant security it is indeed - it confused at least one potential hacker!
  • Redbeard (unregistered)

    So, the real WTF is that no government purchasing agent is going to search the web for sales leads. They are going to call the guy they met at some trade show or the guy who has a relationship with the purchasing agent.

  • kyle (unregistered)

    The sad part it you needn't add your company to Central Contractor Registration for these calls. I field one or two a month and I'm just a lowly video rental store!

  • sweavo (unregistered) in reply to John
    Comment held for moderation.
  • DMac (unregistered)

    I randomly clicked their listings as follows:

    region 6 > california > live animals

    and learned that I could obtain a "far-infrared sauna."

    for all of the times I have visited the zoo I have never encountered one of these. . . Sounds exotic.

  • akatherder (cs) in reply to Yep
    Yep:
    Everyone is missing the real WTF.

    That page uses frames.

    Yes, that makes up for any javascript vulnerabilities because frames securely mediate, by design. Secure multi-mediation is the future of all webbing.

  • Steve (unregistered)
    Comment held for moderation.
  • sweavo (unregistered) in reply to sweavo
    Comment held for moderation.
  • Doug (unregistered)

    Thanks! These guys called me and I was considering paying them! You really helped out business owners and stuck it to the hucksters with this. Thanks again!

  • SpamBot (unregistered) in reply to sweavo
    Comment held for moderation.

Leave a comment on “So You Hacked Our Site!?”

Log In or post as a guest

Replying to comment #:

« Return to Article