250 thousands emails at risk? It is a feature!10/07/2008 Written by minor
“It is not a bug, it is a feature. You invented the wheel.”
If you get this kind of answer from a website operator in relation to a security bug found in his application, then you have only two choices: either you’re paranoid or the operator doesn’t care much about security. What are talking about? About leakage of 250.000 email addresses.
One of the most visited websites in Slovakia, the community website Azet.sk known thanks to his freemail and chat services has several sections, among which is also a dating section . The website is visited by surfers of various age that would like to find a partner for anything: chating, meeting, sex etc. You just put an announce and everybody can respond you through a web form. But few days ago, on one of the most visited security blogs in Slovakia blog.synopsi.com appeared the detailed description of how to get email addresses from the Azet dating service with a PoC script.
When sending a message to a selected user of the dating service in an opened announce (defined by ID), the email address is sent in hidden field. oooo (blog admin) wrote a script in python and compiled it to a Windows binary, that could automate addresses extraction. He started with ID=1 that should be connected to the first announce in the dating section, but first the emails were extracted around ID=300000. The script stopped to work at ID=900000 and resulted in 250000 extracted emails, which is approximately 1⁄4 of whole account of Internet users in Slovakia. Of course it could be also less, because some individuals use more than one email address, but the number is really high.
The functionality of this script with some extracted email addresses can be seen in this video.
Among the results also several email addresses belonging to the government, municipal, universities, schools etc were found, the authors published them together with links to announces with those email addresses (this is exact picture of bureaucracy everywhere in the world, officers have no time for you, but have time to look for something else).
The answer came after several hours from the Azet.sk’s operator with an article named “They invented the wheel” . (we extracted some juicy sentences, because it is in slovak language, with our comments).
“No emails leaked from the website Zoznamka.azet.sk, as is stated in articles on blog.synopsi.com and pocitace.sme.sk, only email contacts.” (where is the difference?)
“Processing of email addresses was developed and programmed in such way.” (what???)
“Described way how to extract email addresses from HTML code is commonly used by the spammers in the world, they get addresses and misuse them. So this is not directly a security issue of the Zoznamka.azet.sk website.” (hey, guys, spammers can’t hit Slovakia, this is real banana island!)
“Email contact entered by inserting new announce is only for contact purposes and Azet.sk is not obliged to not disclose it.” (well, in user privacy section of rules you can read:
1. The operator obliges not to disclose private data of user to any third party.
2. As user’s private data for these rules are considered all the data, that are not publicly available to other users or are not shared (for example data, that were marked by user with “not public” etc) and email, also in case of sharing. IP address and access time (logs) are not considered as a private data.)
Azet.sk operators also accused the authors of blog.synopsi.com:
“Publishing email contacts and with them allegedly connected announces on blog synopsi is questionable, it is not possible in the reality to prove the connection and this can be considered as a serious detraction and damaging name of the affected persons.”
As answer to this last accusation oooo stated:
“Although I connected emails and announces on purpose, Azet repeatedly said, I faked them. Of course, only after they corrected the described errors. Then they advise me, that they meant the connection of particular persons with published emails. But I never said, these are the particular persons. I just wrote emails and connected them with the announces. …emails were freely available on the website. It was not necessary to hack the databases in some way or steal the emails somehow… …Azet published emails in publicly available html code).”
Can you imagine, if issue like this will affect bigger social networking websites? And their answer would be: “it’s not a bug, it’s a feature…”?