How to hack grey matter
February 23, 2002 6:17 PM Subscribe
How to hack grey matter A big security loophole with grey matter powered sites is out there. It lets anyone have the username and password to these sites. Luckly there is a fix for it which can be found here.
To be fair, it seems that it doesn't affect all Greymatter sites, just those who have directory browsing turned on in the install directory and no index.* file to mask it.
Of course, because 'n' seems to be a number under 100,000, it wouldn't be hard to write a perlscript to try all the combinations on your favorite greymatter site, googled or not.
Tsk, tsk, tsk on security through obscurity. Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists...
posted by kfury at 6:32 PM on February 23, 2002
Of course, because 'n' seems to be a number under 100,000, it wouldn't be hard to write a perlscript to try all the combinations on your favorite greymatter site, googled or not.
Tsk, tsk, tsk on security through obscurity. Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists...
posted by kfury at 6:32 PM on February 23, 2002
It's not "security through obscurity" -- there's nothing obscure about the "Clear and Exit" button on the bookmarklets screen at all, and if you have the smallest idea of what you're doing through creating bookmarklets (or even if you don't) you'd realise that the button was there for a reason. Click there to clear and exit. It's rather a no-brainer.
However, I agree, there's no reason whatsoever to have posted the link to the "hack" as an FPP. An explanation of the problem and a link to the fix would've been much more appropriate.
posted by Dreama at 6:45 PM on February 23, 2002
However, I agree, there's no reason whatsoever to have posted the link to the "hack" as an FPP. An explanation of the problem and a link to the fix would've been much more appropriate.
posted by Dreama at 6:45 PM on February 23, 2002
Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists...
But he did post a link to the fix which noah states he has been emailed about this and lets people know how to fix it.
Maybe you are saying Tsk tsk because you realized your site was vunerable and didn't finish reading that he posted a link to the fix?
posted by willsey at 6:45 PM on February 23, 2002
But he did post a link to the fix which noah states he has been emailed about this and lets people know how to fix it.
Maybe you are saying Tsk tsk because you realized your site was vunerable and didn't finish reading that he posted a link to the fix?
posted by willsey at 6:45 PM on February 23, 2002
I think its an expedient means to get the word out. There is a lot of GM users here at MeFi.
Machaus, RTFM doesnt always make the risk any less. I know, first hand, many people who have trouble configuring things like GM and RTFM doesnt help those who are barely above water as it is. But, you know, maybe thier just stupid ;)
kfury, it seems thebwit linked to a greymatter forum discussing this issue so I'm unclear about --
"Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists..."
it would seem that by the discussion of it, its already out there. Or should we tsk tsk Noah for talking about it on GM forums before he emailed GM users too?
I think too many of you sit around waiting to find fault in every post. I see it very consistantly it certainly doesnt lead to feelings of sharing and community...
posted by ruzz at 6:47 PM on February 23, 2002
Machaus, RTFM doesnt always make the risk any less. I know, first hand, many people who have trouble configuring things like GM and RTFM doesnt help those who are barely above water as it is. But, you know, maybe thier just stupid ;)
kfury, it seems thebwit linked to a greymatter forum discussing this issue so I'm unclear about --
"Tsk, tsk also for posting the means of the hack to MeFi before trying to let site owners know through Noah's mailing lists..."
it would seem that by the discussion of it, its already out there. Or should we tsk tsk Noah for talking about it on GM forums before he emailed GM users too?
I think too many of you sit around waiting to find fault in every post. I see it very consistantly it certainly doesnt lead to feelings of sharing and community...
posted by ruzz at 6:47 PM on February 23, 2002
Anyone with knowledge on how to hack would have figured it out from the prevention measure. The Dangerous Monkey link didn't do much.
On the irony side of it, a google search turned up Dangerous Monkey's exposed file as number one.
posted by geoff. at 6:50 PM on February 23, 2002
On the irony side of it, a google search turned up Dangerous Monkey's exposed file as number one.
posted by geoff. at 6:50 PM on February 23, 2002
it would seem that by the discussion of it, its already out there.
Then a link to the fix was all that was required -- linking to the hack in a forum as heavily trafficked as this one only increases the chance that someone is going to get hacked.
Maybe you are saying Tsk tsk because you realized your site was vunerable and didn't finish reading that he posted a link to the fix?
willsey, you have no idea what you're talking about.
posted by jjg at 6:53 PM on February 23, 2002
Then a link to the fix was all that was required -- linking to the hack in a forum as heavily trafficked as this one only increases the chance that someone is going to get hacked.
Maybe you are saying Tsk tsk because you realized your site was vunerable and didn't finish reading that he posted a link to the fix?
willsey, you have no idea what you're talking about.
posted by jjg at 6:53 PM on February 23, 2002
I think too many of you sit around waiting to find fault in every post.
whatever you're running for ruzz, you got my vote!
posted by quonsar at 7:18 PM on February 23, 2002
whatever you're running for ruzz, you got my vote!
posted by quonsar at 7:18 PM on February 23, 2002
Geoff: Just because dangermonkey's site was listed doesn't mean he's vulnerable. He's the guy who published the hack, therefore google associates that text with him. Ironic? Hardly.
posted by bloggboy at 7:34 PM on February 23, 2002
posted by bloggboy at 7:34 PM on February 23, 2002
Looks like that guys copy of greymatter has already been hacked. What a fool.
posted by pete at 7:34 PM on February 23, 2002
posted by pete at 7:34 PM on February 23, 2002
bloggboy, if you took the time to look you'd find that that his gmrightclick file was indeed listed, and I checked -- it had his authorname and password listed in clear view. I guess, according to pete, he didn't change his name or password OR delete the file.
Ironic. YES!
posted by geoff. at 8:00 PM on February 23, 2002
Ironic. YES!
posted by geoff. at 8:00 PM on February 23, 2002
After reading the description, I clicked on the link expecting to find instructions for gaining root access to a human brain.
-Mars
posted by Mars Saxman at 8:50 PM on February 23, 2002
-Mars
posted by Mars Saxman at 8:50 PM on February 23, 2002
Releasing the details of a hole after a fix is available is standard operating procedure for security lists. The guy who found the original hole should've notified Noah privately and given him a few weeks to deal with it, but at this point, pretending people don't know the hole exists hurts more people than it helps.
posted by rcade at 8:59 PM on February 23, 2002
posted by rcade at 8:59 PM on February 23, 2002
As an aside, most Apache installations are set up so they won't serve any file that begins with .ht (such as .htaccess). If these files have to be created, less people would be at risk if it was named something like .htgmrightclick-*.
posted by rcade at 9:03 PM on February 23, 2002
posted by rcade at 9:03 PM on February 23, 2002
The big problem is the people that use the same password for *everything* (or even two or three or four). Hack Greymatter, hack their 1-click shopping at Amazon, hack their dialup, etc.
I'm appreciative this was posted to the front page, I wouldn't have found out about it any other way until much later.
posted by mutagen at 12:57 AM on February 24, 2002
I'm appreciative this was posted to the front page, I wouldn't have found out about it any other way until much later.
posted by mutagen at 12:57 AM on February 24, 2002
The big problem is the people that use the same password for *everything*
Yeah, well, they shouldn't do that. If they didn't know that before, they do now.
posted by kindall at 9:28 AM on February 24, 2002
Yeah, well, they shouldn't do that. If they didn't know that before, they do now.
posted by kindall at 9:28 AM on February 24, 2002
I think too many of you sit around waiting to find fault in every post. I see it very consistantly it certainly doesnt lead to feelings of sharing and community...
I almost didn't post this security issue because of what ruzz said. The moment I posted it I knew that someone was going to be annoyed and figure some way to attack me for posting it.
I posted it on the 23 of Feb. I knew about the loophole since the 11th. I waited until I found out how to fix the loophole before posting.
So to say Tsk tsk, I shouldn't have posted it - in my opinion is wrong. People need to know about this. You could have said tsk tsk if I posted only the link about the loophole and not a fix. But since I posted a fix along with the loophole, I did what is standard bug reporting.
posted by thebwit at 9:36 AM on February 24, 2002
I almost didn't post this security issue because of what ruzz said. The moment I posted it I knew that someone was going to be annoyed and figure some way to attack me for posting it.
I posted it on the 23 of Feb. I knew about the loophole since the 11th. I waited until I found out how to fix the loophole before posting.
So to say Tsk tsk, I shouldn't have posted it - in my opinion is wrong. People need to know about this. You could have said tsk tsk if I posted only the link about the loophole and not a fix. But since I posted a fix along with the loophole, I did what is standard bug reporting.
posted by thebwit at 9:36 AM on February 24, 2002
"On the irony side of it, a google search turned up Dangerous Monkey's exposed file as number one."
It's not irony, what is more likely is that someone totally other than dangerousmonkey discovered this exploit, searched google for gmrightclick, and then used the exploit on the first site he found, dangerousmonkey, to post the exploit. I think it's pretty obvious this is what happened.
posted by beefula at 8:30 AM on February 25, 2002
It's not irony, what is more likely is that someone totally other than dangerousmonkey discovered this exploit, searched google for gmrightclick, and then used the exploit on the first site he found, dangerousmonkey, to post the exploit. I think it's pretty obvious this is what happened.
posted by beefula at 8:30 AM on February 25, 2002
It's only a loophole if you didn't RTFM.
That's no excuse... any (software/system/etc.) designer should know that if a user is given a variety of choices, they will probably not make the right one. It's not the user who is at fault; it's the system... had the system not been open to this fault none of it would come about.
posted by crankydoodle at 1:52 PM on February 25, 2002
That's no excuse... any (software/system/etc.) designer should know that if a user is given a variety of choices, they will probably not make the right one. It's not the user who is at fault; it's the system... had the system not been open to this fault none of it would come about.
posted by crankydoodle at 1:52 PM on February 25, 2002
« Older | Keo Satellite to Carry Messages to Earth's Future Newer »
This thread has been archived and is closed to new comments
posted by machaus at 6:30 PM on February 23, 2002