| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by daguava 3973 days ago

You can list what problems you've solved by showing an image generated for you.

Ex) https://projecteuler.net/profile/daguava.png

But you can also use this to quickly test the status of accounts.

For example, I was able to find Euler is an admin account by trying

https://projecteuler.net/profile/euler.png

It tells you it's admin in the image, why?

Edit: Wonder if they're exposing some vulnerability with the HTTP 300 Multiple Files they're returning.

If you try something like this: https://projecteuler.net/profile/.wat

the page confirms a .htaccess file exists at https://projecteuler.net/profile/.htaccess we also find one at https://projecteuler.net/.htaccess

While currently inaccessible, this is significant information leak

All directories allow this, so you can do some digging to find what files exist.

Edit 2:while logged in, you can enumerate all usernames with a skill level attached by using URLs like

https://projecteuler.net/level=1

If you try changing the level to a period, the page conveniently tells you there are over 118k users in total (listing the first 10k), and MAY even show accounts without levels, but I'm not sure.

Combine this with the profile image URLs above and you may be able to find more admin account usernames if they have levels associated with them.

3 comments

mhink 3973 days ago

So basically, by telling us this, you're completely contravening the request they made that security vulnerabilities be disclosed privately?

Kind of a jerk move.

link

daguava 3973 days ago

While I am kind of a jerk, I haven't made a vulnerability of it yet, just an info leak that may help someone here complete the puzzle.

link

colechristensen 3973 days ago

If this was an essential security library instead of a fun website, this would have been an incredibly irresponsible disclosures.

Bug bounty programs searching for security vulnerabilities rarely need completed proof of concept exploits – crashes are enough. You've laid down all of the pieces for someone competent to potentially do some real damage without much work at all, and that's exactly why the request was made not to disclose any further vulnerabilities.

link

GFK_of_xmaspast 3973 days ago

The whole point of Project Euler is you're not supposed to give hints.

link

daguava 3973 days ago

The attackers didn't give hints either :(

link

rnovak 3973 days ago

I think you're confusing "exploit" and vulnerability. An info leak is a vulnerability. Period.

And yes. You completely went around their request, and made this info public without their consent.

Actions like this are THE reason the relationship between vendors and security researchers is strained.

There's a SPECIFIC reason it's considered common courtesy to wait until a vulnerability is patched before public disclosure.

IANAL, but you also violated their ToS by doing this, and if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.

link

ChristianBundy 3973 days ago

> if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.

Actions like this are THE reason the relationship between vendors and security researchers is strained.

link

branchless 3973 days ago

Good grief, Americans and threatening to sue anything that moves.

link

rnovak 3972 days ago

First of all, how do you even know I'm an American? Nothing in my post, my bio, or anything mentions that, so that's quite a sweeping generalization, and baseless assumption.

Secondly, why are "non-americans" cool with breaking other peoples shit without permission?

link

rnovak 3972 days ago

Excuse me? You want to be able to launch an attack, unprovoked, against a server you don't own, without permission, and you want the owner to be cool with that?

You want the owner to be cool with you disrupting business, causing untold financial damage?

PEOPLE like you are the reason that relationship is strained, and the reason the CFAA was written in the first place.

So please do keep "pen-testing" sites you down own without anyones permission, I'm sure you'll end up with a great life that way.

link

gregmolnar 3973 days ago

100% agree!

link

daguava 3973 days ago

All of this info (sans the HTTP 300 issues) is accessible via means which have been specifically GIVEN to users on the statistics and profile page. All I've done is point out combining these lovingly provided sets of information may have a role in what has happened.

link

asdfologist 3973 days ago

Yeah but how else would he get the same ego boost from showcasing his brilliance on HN?

link

ProjectEuler 3972 days ago

Is there any reason why you're intentionally not using the email denoted on the news page?

link

etimberg 3972 days ago

No the original commenter, but is PE looking for any maintenance help? I certainly don't mind doing things like issue tracking, documentation, etc.

link

daguava 3973 days ago

Turns out you don't need the image method, the skill level pages put a special star next to your name if the account is an administrator:

https://projecteuler.net/level=19

Look for the gold stars

link