3 Examples of 'Accidental' Hacking

So often we read about dastardly computer hacks which steal data, money, or cause immeasurable controversy for those who are targeted.

Take RansomWare for example – it’s one of the nastiest viruses you’ll see, and really sticks the boot in to anyone who falls victim to it. My colleague Carl Gustard wrote a really helpful blog about it recently.

Just last week the release of the Panama Papers was declared the ‘biggest data leak in history’ with 11.5m documents taken from the database of the world’s fourth biggest offshore law firm, and shared with the International Consortium of Investigative Journalists. David Cameron is having a particularly torrid time at the moment justifying his name cropping up amongst the documents.

But when it comes to hackers, there is no ‘one size fits all’. They are simultaneously blamed with causing billions of pounds worth of damage, as well bringing firms to justice, and founding some of the world’s greatest tech companies.

This blog focusses on one particular kind of hacker: the ‘accidental’ hackers. The hackers who found themselves in amusing situations. The hackers who fessed up (either to help the company they had ‘stolen’ from to sharpen up their security efforts, or to avoid personal persecution. One of the two.)

I’ve compiled a list of my favourite ‘accidental hacks’. Had the hackers themselves been of a certain mindset, things might have turned out rather differently….

Man buys Google.com for one minute

Unbelievably, the Google.com website address was available for sale earlier on this year.

Sammy Ved (who coincidentally used to work for Google) was surfing the web one night, looking at available Google domains (Google’s website buying service) when he spotted that Google.com itself was on the list. For the princely sum of $12.

He added it to his online shopping basket, entered his card details, and when the transaction went through, Sammy Ved was the brand new owner of Google.

It gets worse.

Not only was the domain now his, but he also received messages (intended for the owner of Google) containing internal information. “The scary part was when I had access to the webmaster controls…” Ved said.

However, his sudden increase in power lasted only 60 seconds. Google contacted him saying that someone else had registered Google.com before him (that old chestnut), and refunded him the $12.

Why was Ved able to get control, albeit fleetingly? It could have been a bug in Google Domains, or Google could have forgotten to renew the site. If it was the latter, how thankful are you right now that you’re not the person whose job it was to do that renewal?

Before you argue that Google couldn’t possibly have forgotten such a fundamental business process, this has happened before. In 2003 Microsoft forgot to renew Hotmail.co.uk, and someone else swiftly swooped in and bought it. Unfortunately for Microsoft, they didn’t have the luxury of their own domains company, so they couldn’t just take it back. They had to go and ask the buyer to hand it over.

As for Sammy Ved? He took screenshots of what he was able to access for those golden 60 seconds, and gave the emails he received over to Google’s security team. However, “I still can’t shake the feeling that I actually owned Google.com,” he’s reported to have said.

He could have got free pizzas for life…

“I called the store and they confirm they have received my order and it will be delivered within the next 20 minutes. My first thought: awesome. My second thought: s**t.”

It’s a Friday night. Friday night is pizza night. Who does the best takeaway pizzas? Dominos of course.

Security consultant Paul Price and I are of a similar mindset when it comes to making decisions about pizza. Where we differ, is that he found a way for his Pepperoni Passion to be delivered to his door without spending a single penny. And I have not.

Here’s how he did it:

Paul opens up the Dominos app on his Android device. A random £10 voucher appears. Curious, he takes a look at the code behind the app. He finds that it was processing payments via a ‘payment gateway’ on his device, and not on a server. So he decides to see if he could intercept the code on his device.

At the checkout, he put in fake credit card information. The transaction was of course declined. So Paul goes into the code and changes the value to ‘accepted’. The pizza tracker goes straight to ‘Order received’.

Once the delivery driver arrived with his heap of delicious, melted cheese wonderfulness (I’m getting hungry as I’m typing this) Paul finds he can’t go through with it. He tells the delivery driver there must have been some mistake as he ‘never entered any credit card information’ and hands over £26 in cash.

Dominos have since fixed that enormous security hole, so there’s little point trying this yourself now. Though it is a fairly interesting moral dilemma. You’re not stumbling across nuclear codes here – this is pizza we’re talking about. What would you do?

The power to delete every photo on Facebook…

There’s been a few occasions where I wish I could unsee various photos on Facebook. But one man found a way to get rid of them all. Both his, and everybody else’s (well, everyone who didn’t bother with privacy settings). For good.

A researcher named Laxman Muthiyah discovered that just four lines of code could successfully delete his own photo albums.

Problem was, that code could be tweaked to delete any album belonging to any other user on Facebook that Muthiyah was allowed to view (i.e those of his friends, and anyone who has set their profile to public).

Granted, to delete the site of all images would take some very fast fingers indeed, given that 350 million photos are uploaded to Facebook every day.

Muthiyah reported what he had found to Facebook, who got on it straight away. Within 2 hours they had come up with a fix, and paid Muthiyah $12,500 for bringing the issue to their attention.

$12,500 is indeed a lot of money. But consider what Muthiyah had in his hands – he had the potential to cause despair to a lot of Facebook’s users. So I’d imagine there would have been a few people who would have paid Muthuyah a great deal more than that for the code, in order to bring Facebook’s reputation crashing to its knees.