Last month Adobe was forced to shut down its connectusers.com domain following a hack by ViruS_HimA. At the time the hacker only released details of users with adobe.com, .mil and .gov email addresses – supposedly to limit any damage done to private individuals.
This time he explains his motivations in greater detail. “I’m not looking to ruin anybody business, I've stopped black hat activities long time ago and will never be a black hat again.” Now he is a white hat penetration tester “in legal manner with legal companies.” But through this work “i have found tens of 0days vulnerabilities in big web sites such as Adobe/Microsoft/Yahoo/Google/Apple/Facebook and many more.”
Wearing his white hat, he told the companies about the vulnerabilities. “Google was great in fast reply and patch release,” he says. “Same goes with some others. But for Adobe and Yahoo they were so slow in reply and fix, You know what? Yahoo never reply for my message!” If ViruS_HimA is to be believed, he has effectively developed his own form of semi-responsible disclosure.
When vendors fail to respond to vulnerability disclosures, many researchers believe the only recourse is full disclosure of that vulnerability. The danger is that malware authors can then make use of the information and develop new malware – a recent disclosure of a Java vulnerability after Oracle failed to patch led to an exploit being included in Blackhole within 24 hours; forcing Oracle to implement the patch.
ViruS_HimA’s approach is different. He doesn’t disclose the vulnerability, he uses it. Although this is illegal while full disclosure is not illegal, this methodology gets his message across, forces the vendor to react, but does not give the vulnerabilities to true black hats. Of course the argument only works if the hacker does not disclose any data lifted from the breached site. “Here we go for Yahoo,” he says. “but this time i will publish proofs only without publishing data like in Adobe case, I already gained the trustworthy I was looking for.”
So if we are to believe him, he leaked some details from his Adobe hack, but no longer needs to – he just needs to provide proof of the hacks. That proof came in the form of screenshots posted to the internet. Tal Be’ery, Web Research Team Leader at Imperva, has analyzed those screenshots, and comments, “The attacked application is coded in Microsoft ASP – due to the distinct error message. This probably means that the application was not developed by Yahoo, internally, as Yahoo uses PHP.”
It’s déjà vu, he adds. “Just a few months ago, a hacker was able to penetrate Yahoo Voices application via SQL injection and leak 450,000 mail addresses and passwords. Yahoo Voices was acquired from a 3rd party, Associated Content.” The message from Imperva is that “This attack highlights the challenges of security with 3rd-party applications... you need to put them behind Web Application Firewall.” The message from ViruS_HimA is “Always be proactive not reactive in safeguarding your critical data;” and listen to the researchers when they disclose vulnerabilities.