Are these lad’s even trying?

Hey G33ks

So I’ve pentested a few “development” sites of a school (why are development sites available on the public?), and they seemed to got mad at me (threatening they would beat me up, sue me, all the general bullcrap).
Well, I got a thing for you: be glad that I pointed out the issues before some kind of A-hole came by and started tearing your site apart.
I’m not sorry in advance for all the things I’m about to show you.

and to the school who hosts these websites (I’m looking at you Landstede): if you are reading this: for crying out loud, teach how to decently secure a website before putting it on the internet.
Some a-hole might just come around and upload some “Captain Picard” on the websites.
I mean come on, didn’t you guys even give the basics of security?

Posting a blogpost without authentication, such a great idea!

Putting your username and password to the admin panel in the “hint”, such a great idea!
*This image has been removed for privacy reasons*

Putting your email adress and phone number in your “contact” information, such a great idea!

Hey, look!
This one even was nice enough to put his home adres on!
How frigging billiant!

Atleast this guy keeps his number private…

Hey babe, may I have your number aswell? 🙂

Hey, I could pretty much copy her whole identity! (+ point for keeping actual private email and school email seperated)

This site isn’t actually to bad…

Oh… It’s a just template…

Oh… It’s wordpress (which is a definite plus-point)

And it’s even up to date!

Now these sites are just picked at random.
But serious guys, learn how to obfuscate, don’t put your passwords in plain sight, use authentication when doing some administrative voodoo…
And seriously, don’t put your private bits online…

I have been very patient with you lads over at Landstede, but really?
You guys just seem to want to be the subject of malicious users?

Also, keep your students from threatening me, especially if they have jackshit clue what they are talking about.
Be happy that I came along, instead of some twat who would silently use your sites, for his evil deeds.

Well, I hope you will actually do something about it, since I’ve decided to change my scheme a bit (since you seem to be rather ignorant about it?).
Instead of giving you time to patch it, I’ll just make zero-days out of it id I’d like so 🙂

G33k Out!

Comment ( 1 )

  1. FinlayDaG33k » Better go complain on some 18-year-old!
    […] Are these lad's even trying? […]

Leave a reply