How to hack a website and get caught

5 min read Original article ↗

How to hack a website and get caught

I am a developer at Taskhub. A couple of weeks ago we created a web app based on our platform to help those affected by the UK floods. This idea was initiated after a contact from the UK government approached us and asked if this sort of platform can be created. It was possible and we achieved it within 5 hours. You can read about this here, here, here

The project was greatly welcomed by flood victims, volunteers and other startups that were willing to help us. This included Facebook where their dev team performed a quick turn around to direct victims in a flood affected area to our website to help them find volunteers. You can read more about this here.

Now that I’ve set the scene, what follows is a short story of how annoying trolls can be.

A few weeks ago, at around 11.30PM just as I was about to fall asleep I got an email (with the Taskhub logo and from our address) saying that our Flood Volunteers database had been compromised and data was lost.

At first I thought what the hell is going on? No one from the team could have sent this!

image

As you can see from the email this person is pretending to be Taskhub and trying to soil our name with a terrible grasp of the English language. I was really angry that somebody would do this and it resulted in me not being able to sleep. For the next 30 minutes, I started trying to figure out how this could have happened. I did this quickly and I went to bed ready to sort out the problem the next day.

I got up early next morning and got a SMS from our founder saying “We need to get this under control ASAP”. I headed to the office thinking of which laws this person had broken. Unfortunately. I couldn’t think of anything concrete but I thought a quick call with our lawyers will get that sorted out.

When I got to the office, I opened the original email and I looked at the headers. You can see this below.

image

I found the server the wannabe hacker sent the email from and his first mistake was to leave his server on and for it to host an old version of his website where his company name was mentioned in the footer! EPIC FAIL!

image

I quickly purchased company reports from Companies House and found out his full name. I pretty much burst out laughing as it turned out that I knew this person. This person was commenting on our Facebook page with some less than flattering comments. This made it even more obvious it was him.

I moved on to find out how he got some emails of our volunteers and why he said that our database was compromised. Our database is on AWS RDS, we whitelist only a few IPs. In addition, our EC2 instances can access our DB but to get access to our EC2 instances you need a SSH key. So I knew from the beginning it was very unlikely that our DB was actually compromised.

It turns out the way the hacker obtained the email addresses was very simple. He scraped our site. You might be wondering why we had volunteer emails public. The reason for this is that we were trying to help UK flood victims and our volunteers were happy to list their email address and number so that flood victims can contact them directly for help based on what they needed. At the time we made a decision to forgo privacy to reduce barriers for flood victims to contact volunteers that had the necessary skills, tools or other supplies they need.

After dealing with this hacker and letting our users know what the problem was we implemented a simple form submission where we can now forward emails and detect abuse of the messaging system if any. It has restricted things a little but thanks to this one selfish hacker we’ve had to implement this.

We have spoken to the police and our lawyers and there is a pending investigation against this person. It was so tempting at times to simply publish his name, photo, Facebook page, home address, and current employer… But we restrained ourselves and fortunately we have a few level-headed people in our team to realise this.

From this experience, I got to see firsthand how evil and desperate some people can be. We are running a project to help people free of charge and in our own time. We have gained no financial leverage (as expected) but we did get lots of thank you emails from volunteers and flood victims alike. It was a very rewarding experience and we aim to continue this project until everything is back to normal in the flood affected areas.

Anyway, I hope this was entertaining to read and if you found this interesting please share this so that other developers can see that if you are running any sort of good will project you will have heartless noobs trying to destroy your good efforts.

Tweet

See more posts like this on Tumblr

#uk floods #floodhack #hacker