[aaronwp]

Sega Europe left AWS S3 creds laying around in a server image on downloads.sega.com. I was able to use them to enumerate a bunch of storage, dig out more keys, and mock up a spear phishing attack against the Football Manager forums.

All the keys and services are secure and the breach is closed.

[phnofive]

Is it common, now or historically, to follow up a notification of compromise with self-directed PoC and privilege escalation exercises on the resources of a company with which you're not under contract? My naïve take is that this was a series of well-intentioned but possibly criminal actions used to illustrate a lesson we could all be reminded of from time to time.

Also, the HackerOne page doesn't appear to be claimed by SEGA Sammy, so notices might dead-end there as well.

[throwawaygh]

> Is it common, now or historically

Historically: yes.

Now: no.

> possibly criminal

Sans some sort of formal agreement (which platforms like HackerOne might facilitate), it's definitely criminal. (IMO at least not unethical, to be clear.)

Again, sans some sort of contract either one-off or platform based. If SEGA wanted a prosecution, they would almost certainly be able to convince a prosecutor to press charges. The prosecutor would certainly get a guilty verdict. (Or, much more likely, a guilty plea with a bit of prison time and stiff probation.)

This still happens from time to time in much more ambiguous situations. E.g., https://www.nytimes.com/2021/10/15/us/missouri-st-louis-post...

Fortunately, there's a bit of a gentleman's detente among reasonable white hats and reasonable companies. But if you venture much outside of the small set of companies who rely on and have technologists in senior leadership, the story changes fast.

[floatingatoll]

That detente's boundaries may be somewhat vague and impossible to guarantee, but you can broad-brush paint yourself into a safer box with these four principles:

- Don't make humiliating changes to their content

- Don't mess with their userbase

- Don't leave undocumented backdoors

- Don't damage production

If you do your best to comply with those principles, then you can make a strong argument to a judge/jury that your behavior was without malice, which will notably improve your chances of survival if someone decides the usual detente isn't palatable.

[kingcharles]

I used to do this white hat hacking back in the day: modify a page on the web server, send a link to the admin with the exploit walkthrough.

It's a dangerous game to play now, though. You're basically betting the company you tested your PoC on would rather avoid the negative PR of filing charges against you, vs. a bunch of non-technical suits who just want to see you do 150 years in Sing Sing.

[voakbasda]

Yup, this was totally criminal in most jurisdictions. I don’t care if the person intended to help; this kind of vigilante hacking deserves to land you in prison.

You want a bounty? Talk to me before you break into my systems. Because once you do that without my permission, you have proven yourself completely unworthy of being trusted. Why should I believe that you have not installed a rootkit or other tech that you did not subsequently disclose?

You will need to be treated the same as any other criminal. If my insurance gets involved, that also probably means directly assisting with an attempt at criminal prosecution.

So, yeah, brilliant strategy. /s

[voakbasda]

Not sure why my comment got downvoted, but it very much feels like HN is defending this kind of behavior. This is why we can’t have nice things.

[rectang]

You can't have nice things because you aggressively criminalized the white hats, thus were never warned by them before a black hat took your nice things away.

> Why should I believe that you have not installed a rootkit or other tech that you did not subsequently disclose?

Because doing that and also disclosing your identity would be incredibly stupid?

[ajmurmann]

> You can't have nice things because you aggressively criminalized the white hats

voakbasda even proposed giving a bounty. Is defacing a website and spearfishing the users (as is claimed higher up in the thread) needed for white hats to do their thing? I'm surprised that we aren't all in agreement that this isn't at least grey hat behavior.

[rectang]

It's unclear to me where the line is being drawn and a zero-tolerance policy applied with maximum criminal penalties pursued.

The whole world sucks: the companies who are slovenly with our data, the criminals who exploit that data when it is inevitably leaked, the grey hat hackers who "joyride to prove they found your keys" to use the memorable metaphor from elsethread, the circumstances which make probing for vulnerabilities incredibly risky because one misstep gets you a prison sentence. the resulting feast of vulnerabilities ripe for criminal exploitation....

[batch12]

>You can't have nice things because you aggressively criminalized the white hats

This isn't how a white hat should behave. At the first issue, they should have stopped, reported, and waited. At the very least, a responsible disclosure, followed by a reasonable time, then maybe public disclosure-- or just move on. Continuing to dig and steal information because someone didn't reply is unacceptable.

[rectang]

I cede the point. It's incredibly frustrating because the harm done is minuscule in comparison to the unsafe business practices exposed. The toxic data hoarder will skate, the messenger will be shot, and the public will continue to be victimized by black hats exploiting toxic data stockpiles.

[tata71]

Honeypots etc make this absolutely true.

[duxup]

How do you know there’s a breach without seeing it?

[whoknew1122]

How would Sega know there are AWS API keys in a public S3 bucket without vpnoverview defacing their careers site? Sega could probably, y'know, look in the S3 bucket at the identified file which contained the keys.

All of the things found could have been investigated by Sega and replicated if vpnoverview just documented how they got access to the info.

You don't have to joyride in a car to show the owner that they dropped their keys.

[craftinator]

> You don't have to joyride in a car to show the owner that they dropped their keys.

This is the most accurate analogy I've seen in months, thank you for sharing it!

[wwtrv]

In this case SEGA, due to their incompetence lost a bunch of car keys owned by other people despite claiming that they’ll keep them safe (and having a legal obligation to do so under GDPR). So I don’t see any problem with publicly exposing them.

[batch12]

A vulnerability or a breach?

[aaronwp]

Yes, if PII is involved it's common to run an audit like this. In addition to the access keys on the server image, Sega also accidentally published a database export containing PII. In order to write a comprehensive disclosure I have to investigate thoroughly.

And yeah, there's no branding or information on HackerOne. Even if this had been in scope, I would have thought twice about submitting anything. Our publishing standards match HackerOne ethical disclosure standards.

[phnofive]

Did Sega agree to this public disclosure?

Referring to the HackerOne standards, it appears your team violated a couple:

> Respect privacy. Make a good faith effort not to access or destroy another user's data.

> Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

[wwtrv]

Public disclosing it seems to clearly fall under the ‘ Act for the common good through the prompt’ since SEGA’s user are the real victims in this situation and have the right to known that SEGA us incapable of keeping their data safe.

[batch12]

This sounds similar to justification used by ransomware groups.

[rectang]

Only under the most carelessly superficial analysis.

Is there any limit to the vast, systemic negligence and enabled criminality which can be excused away into nothingness because the circumstances under which they were made public were problematic?

This isn't a criminal prosecution of the company who was irresponsible with user data. If the people who exposed the negligence screwed up, that doesn't mean we have to act as though that the negligence ever happened.

Demonizing the messenger while remaining silent about the message is a choice.

[tentacleuno]

> Even if this had been in scope, I would have thought twice about submitting anything.

Sorry, I don't understand. Why would you be hesitant to responsibly disclose it to HackerOne?

[phnofive]

They didn't know about it beforehand, but even if you visit the page, it says that SEGA Sammy hasn't claimed it, so it appears unofficial.

[ta3927590]

Historically, definitely. Currently? Fairly common. However, what's both historically and currently uncommon is having the sense to not do so while also identifying yourself. For the h4x0r cred, or whatever. Which is of course childishly idiotic, but makes my job a whole lot easier. In my experience, if you're not under any such contract and even if you are going to report such a compromise in complete good faith and have done no damage, you are far better off doing so as anonymously as possible. Nobody likes to be embarrassed, and it's a lot simpler for a corporation with a stock price and public image to think about to pin the whole situation on those damn hackers than own up to even the slightest degree of incompetence. Typing at work in sort of a hurry so, please forgive grammatical issues.

[vmception]

Should have just left it at that and collected the bug bounty, defacing for a proof of concept and telling everyone pretty much makes you ineligible in any white hat program. Can I get dibs on your flat while you're in the... camp?

[duxup]

> dig out more keys

I guess that if they leave them lying around that it is likely there are more.

[jsploit]

> I was able to use them to enumerate a bunch of storage, dig out more keys

That's unethical and likely criminal without explicit testing authorization (which it appears you didn't have).

I wonder if there are any examples of "researchers" being sued/prosecuted for stunts like this.

[imwillofficial]

This would be awesome as a blog post if you ever want to go into detail on how you executed each step.

[robtaylor]

Assertive: Show me something else.

[aaronwp]

stay tuned