250 thousands emails at risk? It is a feature!

10/07/2008 Written by minor

“It is not a bug, it is a fea­ture. You invented the wheel.”

If you get this kind of answer from a web­site oper­a­tor in rela­tion to a secu­rity bug found in his appli­ca­tion, then you have only two choices: either you’re para­noid or the oper­a­tor doesn’t care much about secu­rity. What are talk­ing about? About leak­age of 250.000 email addresses.

One of the most vis­ited web­sites in Slo­va­kia, the com­mu­nity web­site Azet​.sk known thanks to his freemail and chat ser­vices has sev­eral sec­tions, among which is also a dat­ing sec­tion . The web­site is vis­ited by surfers of var­i­ous age that would like to find a part­ner for any­thing: chat­ing, meet­ing, sex etc. You just put an announce and every­body can respond you through a web form. But few days ago, on one of the most vis­ited secu­rity blogs in Slo­va­kia blog​.syn​opsi​.com appeared the detailed descrip­tion of how to get email addresses from the Azet dat­ing ser­vice with a PoC script.

When send­ing a mes­sage to a selected user of the dat­ing ser­vice in an opened announce (defined by ID), the email address is sent in hid­den field. oooo (blog admin) wrote a script in python and com­piled it to a Win­dows binary, that could auto­mate addresses extrac­tion. He started with ID=1 that should be con­nected to the first announce in the dat­ing sec­tion, but first the emails were extracted around ID=300000. The script stopped to work at ID=900000 and resulted in 250000 extracted emails, which is approx­i­mately ¹⁄₄ of whole account of Inter­net users in Slo­va­kia. Of course it could be also less, because some indi­vid­u­als use more than one email address, but the num­ber is really high.

The func­tion­al­ity of this script with some extracted email addresses can be seen in this video.

Among the results also sev­eral email addresses belong­ing to the gov­ern­ment, munic­i­pal, uni­ver­si­ties, schools etc were found, the authors pub­lished them together with links to announces with those email addresses (this is exact pic­ture of bureau­cracy every­where in the world, offi­cers have no time for you, but have time to look for some­thing else).

The answer came after sev­eral hours from the Azet.sk’s oper­a­tor with an arti­cle named “They invented the wheel” . (we extracted some juicy sen­tences, because it is in slo­vak lan­guage, with our comments).

“No emails leaked from the web­site Zoz​namka​.azet​.sk, as is stated in arti­cles on blog​.syn​opsi​.com and poc​i​tace​.sme​.sk, only email con­tacts.” (where is the difference?)

“Pro­cess­ing of email addresses was devel­oped and pro­grammed in such way.” (what???)

“Described way how to extract email addresses from HTML code is com­monly used by the spam­mers in the world, they get addresses and mis­use them. So this is not directly a secu­rity issue of the Zoz​namka​.azet​.sk web­site.” (hey, guys, spam­mers can’t hit Slo­va­kia, this is real banana island!)

“Email con­tact entered by insert­ing new announce is only for con­tact pur­poses and Azet​.sk is not obliged to not dis­close it.” (well, in user pri­vacy sec­tion of rules you can read:

1. The oper­a­tor obliges not to dis­close pri­vate data of user to any third party.

2. As user’s pri­vate data for these rules are con­sid­ered all the data, that are not pub­licly avail­able to other users or are not shared (for exam­ple data, that were marked by user with “not pub­lic” etc) and email, also in case of shar­ing. IP address and access time (logs) are not con­sid­ered as a pri­vate data.)

Azet​.sk oper­a­tors also accused the authors of blog​.syn​opsi​.com:

“Pub­lish­ing email con­tacts and with them allegedly con­nected announces on blog syn­opsi is ques­tion­able, it is not pos­si­ble in the real­ity to prove the con­nec­tion and this can be con­sid­ered as a seri­ous detrac­tion and dam­ag­ing name of the affected per­sons.”

As answer to this last accu­sa­tion oooo stated:

“Although I con­nected emails and announces on pur­pose, Azet repeat­edly said, I faked them. Of course, only after they cor­rected the described errors. Then they advise me, that they meant the con­nec­tion of par­tic­u­lar per­sons with pub­lished emails. But I never said, these are the par­tic­u­lar per­sons. I just wrote emails and con­nected them with the announces. …emails were freely avail­able on the web­site. It was not nec­es­sary to hack the data­bases in some way or steal the emails some­how… …Azet pub­lished emails in pub­licly avail­able html code).”

Can you imag­ine, if issue like this will affect big­ger social net­work­ing web­sites? And their answer would be: “it’s not a bug, it’s a feature…”?