A well-known threat actor hacked his way into the infamous revenge website ShitExpress and leaked the company’s secure data, including customers’ email addresses and messages they sent through the platform.
ShitExpress is an online service that allows people to send real poo, through the mail, to whomever they wish. It’s designed to be a prank site, where people can buy a piece of animal poo and have it delivered to someone’s door, in a box, with a personalized message.
You can imagine the kind of messages someone with a piece of animal dung would send to their devious ex-partners, horrible ex-boss, or annoying neighbor – which is why this leak can be worrying for many customers.
SQL injection defect
As I mentioned ComputerA user by the name of “Pomporin” visited the site in order to send a box to his archenemy, cybersecurity researcher Vinnie Troya. The post reported that the two have been dating, flirting and harassing each other for quite some time.
Upon opening the site, he realized it was vulnerable to SQL Injection, and soon Mr. Pomporin was checking email addresses, customer messages and other private data. (Opens in a new tab) associated with commands.
A day after the site was successfully hacked, he leaked the database on a hacking forum. Speaking to the publication about it, Pomporin said the database was surprisingly small: “It’s frankly not that big… There are about 29,000 requests in the data,” he said.
He also said he didn’t do it for a ransom or something. “I had access the day before it was leaked, and I reported to the site owner after unpacking the data. [I’m] I’m not sure if they’ve confessed or anything yet.”
In response to the incident, ShitExpress acknowledged the breach and took responsibility, saying, “It’s purely our fault – a human error that can happen to anyone. One of our customers discovered it. We fixed the bug immediately.”
Since this is a prank site, collecting almost no data on customers whatsoever, there was nothing specific to leak from the compromised endpoints. (Opens in a new tab). The payment data was left with the payment provider, which means that Pomporin never obtained it.
Across: Computer (Opens in a new tab)