Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Legacy System' Exposed Black Hat 2018 Attendees' Contact Info (techcrunch.com)

Posted by BeauHD on from the security-snafus dept.

An anonymous reader quotes a report from TechCrunch: A "legacy system" was to blame for exposing the contact information of attendees of this year's Black Hat security conference. Colorado-based pen tester and security researcher who goes by the handle NinjaStyle said it would have taken about six hours to collect all the registered attendees' names, email and home addresses, company names and phone numbers from anyone who registered for the 2018 conference. In a blog post, he explained that he used a reader to access the data on his NFC-enabled conference badge, which stored his name in plaintext and other scrambled data. The badge also contained a web address to download BCard, a business card reader app. After decompiling the BCard app, the researcher found an API endpoint in its code, which he used to pull his own data from the server without any security checks. By enumerating and cycling through unique badge ID numbers, he was able to download a few hundred Black Hat attendee records from the server. The API was not rate limited either at all or enough to prevent the mass downloading of attendee records, the blog post said. The legacy system's API was disabled within a day of the disclosure. Black Hat said in a statement: "Thanks to them for disclosing this promptly and responsibly to our technology partner, who addressed the vulnerability immediately. We're working with our partner to ensure this isn't an issue in the future."

21 comments

  1. Nelson by shentino · · Score: 1

    Nelson Muntz says his regards.

    Seriously, the irony...

    1. Re:Nelson by SeaFox · · Score: 1

      Seriously, the irony...

      Yeah, I'm sure there's no way this was deliberate for a third-party or three-letter agency to collect info.

  2. D'oh! by Anonymous Coward · · Score: 0

    It's almost like.... attending BlackHat puts you at risk of being breached somehow more than usual? Is that so? ;*

  3. black hat is an excuse by Anonymous Coward · · Score: 0

    Black Hat and other conferences are just an excuse to travel on the company dime.

  4. BCard app by PPH · · Score: 1

    So, if I was to use the BCard app, what data would I have access to?

    --
    Have gnu, will travel.
  5. What? by Miser · · Score: 2

    What "legacy system" exactly was breached?

    Sounds like just an unauthenticated API to me where the system in question will just happily give out data if you use the API correctly.

    1. Re:What? by Hognoxious · · Score: 1

      I thought "legacy system" meant the one you've had for at least a decade and are currently replacing, or the one you're intending to replace like real soon now, honestly, and are wrapping all sorts of wrappers around in the meantime as a temporay workaround, because yo dawg ...

      But I did see a post once saying "We're developing a new legacy system ...", so maybe I'm wrong. Maybe it's a generic term for any system that the hiptarded fuckster writing the article doesn't understand the function of.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:What? by Miser · · Score: 1

      :)

      Actually the one quote I saw years ago was:

      "Legacy system, n: Something that just works."

  6. Impressive by CharlesAKAChuck · · Score: 2

    This story is actually awesome in several ways: First, the hack itself. Pretty impressive that a security hole that deep was discovered. The second awesome bit is that the security hole was disabled in a day. The third awesome thing about this story, the really incredible part, was that the hacker didn't go to jail or even get charged with multiple crimes!

    1. Re:Impressive by Anonymous Coward · · Score: 1

      Yet.

    2. Re:Impressive by Anonymous Coward · · Score: 0

      A shocking number of APIs don’t do shit for authentication. It’s not surprising anyone found this hole at all.

      You are right that it’s shocking nobody went to jail. I guess BlackHat is serious when they say “don’t be assholes” or whatever.

    3. Re:Impressive by Anonymous Coward · · Score: 0

      He or she will probably be invited to the next defcon as a speaker :D

  7. Create a new email for each conference... by Anonymous Coward · · Score: 0

    ... at the very least.

    I like to keep track of who is leaking my info and selling it to different marketers.

  8. "Legacy" code for production by Anonymous Coward · · Score: 1

    The longer I've worked in IT Operations the more I've come to realize the truth in this.

    1. Re:"Legacy" code for production by Anonymous Coward · · Score: 1

      That's the way it goes. It's quicker to just use source code that mostly works than to write anything new. Then layer over layer of code gets built on top of each other. This goes on for a decade or more. Then it becomes too difficult to remove or replace various layers so it all becomes one monolithic system that can't be upgraded and tasks are marked as "will not fix".

  9. Poser! by Anonymous Coward · · Score: 0

    A real Black Hat would have spent the six hours to steal all the data then sell it.

  10. Huh? by Ecuador · · Score: 1

    So, a vendor servicing a BLACK HAT conference had an API in place that would just return user data without any sort of authentication? And nobody in that company saw the problem?
    Yeah, ok, let's call it "legacy" in some sort of attempt to shift blame to... I don't know who... the 80s maybe???

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  11. Why is it called "Black Hat" anyway? by Anonymous Coward · · Score: 0

    "Black Hat"..."Gourmet food"

  12. So that's what it's called now... by Anonymous Coward · · Score: 0

    So we are calling bad / stupid / incompetent security practices "legacy systems" now? So do they offer a different version of the same API that is in question? If not then it's not legacy.