New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
More evasiveness here:
What a load of ....
So, if it was not put in public does not mean if wasnt done, jesus, such clowns...
Note how they never actually say that an audit took place. They just said "you don't know whether an audit has happened", implying that one has taken place, but being vague enough to be able to backtrack on that statement later.
Yeah, I noted, hence my post...
Double negation to imply an affirmation nobody will be able to hold them to.
How nice too see that nobody except @Maounique, @Zen and @Frost actually commented on the topic (who is behind localhost.re) but rather vented their opinion about the guy/gal/team behind that and if what they do is morally correct.
Expecting anything else from LET is pure insanity :P
A guy who specializes in this has obviously done his homework. Even if somehow you found out the address from the registrar or Cloudflare, you'd probably find it registered with a bogus address and leaked credit card. You arent going to find out who he is unless you have a lot of tech and legal clout. Since he obviously doesnt attract the kind of attention like Snowden, he'll probably be staying in the shadows..for now.
Off topic but does anyone know what software his website runs?
It looks like Wordpress to me.
It's not.
He wouldn't have any business calling himself someone working in InfoSec if he knowingly used a shell that has a side function of blogging.
That said, it's probably some sort of a static content generator, Jekyll comes to mind.
People have been warning about poor WHMCS coding in the past and no one has ever done much about it. Perhaps it was the only way.
You don't have to be a genius to find what he found, you just have to decode the code. What really scares me is who knows how many times these vulnerabilities have been used before without anyone knowing?
So what he did wrong is providing the exploit script. But without the script I doubt everyone would see the seriousness of the situation, instead of shutting down their installation they'd just wait for the update.
I think his motivation was a wake up call, and it apparently worked.
At least in the case of Solus it did, probably WHMCS needs a few more disclosures before they sit down and review the code.
You guys (some of you) demand more transparency from localhost.re or him do not publish whmcs exploits, instead of demanding full transparency for a product you buy with a lot of $$$, for a product that can even shut down your company (if, for example, a leak of db destroy your nodes or hack your clients)? I'm not in hosting industry, hosting and design are my hobbies. But, as a journalist (that's my job) I have to say that: don't shot the source of a story, he just tries to reveal hidden clues - even for his own reasons. Go against the "bad" guys of every story. Last but not least: history proves that people get in trouble for their acts by sources who just show to public facts and problems, are usually try to muzzle sources, rather than explain to the public what happened or fix the problems they caused.
Um, no? Anyone who criticized localhost.re has almost certainly expressed their disappointment to WHMCS already.
He's not revealing clues. He's providing a script that can grab all clients' data from anyone using WHMCS, or worse, cause data loss on a client's server (by resetting client passwords, logging in, and cancelling immediately; or cracking md5sum).
Just saying that localhost.re is not the problem (if not the solution). He just speed up things showing the issues to the public
I don't think anyone thinks he's the problem. Just that he could have handled things differently, for example, at the very least not release with his vulnerability a working exploit script. Or release a working script but with a non-serious SQL injection.
Even more...
He FORCES WHMCS to act, if he did not post those exploits, do you think they would ? Eh it is fairly complex, just a few people will exploit those, we can wait till the next major version, no rush.
Probably now they will knowing he is capable of posting the scripts, but probably just had the typical corporate reaction when someone is telling them the have a flaw: how do you know, who is your accomplice, you will suffer dearly for trying to bring our good name into mud.
Leaving only the governments and criminals know about the exploits is not a good idea, he could also download databases and sell them as many others are doing.
Perhaps he didnt do it perfectly clean, but he did us a favour by forcing whmcs to close the backdoors.
I agree! Even if his motors are driven because, e.g. he could maybe work for a competitor, I'm saying again that transparency never hurts. In this case, is a motor for whmcs to give a better product.
So...
WHMCS must be well aware their codebase contains exploits 101. That the localhost guy can locate those without even having the source code means he's a good engineer.
Now, I expect WHMCS to know that even an uni teacher could have pointed out all the vulns localhost showed if that teacher were to see the original source.
So WHMCS is obviously trying to get rid of localhost guy (private contract to fuck off, lawsuit, feds, anything that works for them)
OR...
WHMCS Matt is seriously mentally challenged if he actually wants to hire an engineer at the other side of the world while anyone with the unobfuscated source code and basic knowledge about SQLi can do it
How can we assume he does not have the source code? Time after time he posts snippets of the code on his website. If using a ioncube decoding mechanism does not count as having the source code, what does?
I would also like to point out the last two posts were on a timer, according to the RSS feed, there has been some speculation that it is "Vlad C. and NetSec Interactive." as this guy finds exploits on whmcs as well as blesta.
Engineer as in either Reverse Engineer or Social Engineer.
I mean that he probably spent more time decompiling the source than finding the actual exploits. (who thinks he blindly bruteforced variables until he found an SQLi are stupid :-P)
That reminds me an awkward lot of @vld (cnst)
Not sure where you're going with that. We've been reporting the vulnerabilities we find and know about directly to the WHMCS developers.
Thats cool, I just saw your name referenced before (can't remember where though). Thanks for clearing that up
Which is the right thing to do. Finding a house with a window open doesn't give you the right to tell the whole neighborhood to loot it to teach the owner a lesson to lock his house next time.
In a virtual world everything is more accessible and also harder to track down due to potential hundreds of millions of internet users unlike in the physical world where the number is shrunk down to local area residents. But a crime is still a crime. Name it all you want, put beautiful stories behind it, paint it with noble excuses, but in the end it's still illegal.
I disagree, it is illegal if he broke the window, not that he goes around in the neigbourhood telling people dont do like the Smiths. Besides, I suspect he told the Smiths before that they have an open door and they said we dont care or watch it, we will send the sheriff after you...
It can be interpreted as being an accomplice, however, first you need the actual perpetrator and the crime to be reported. In this case, WHMCS will be accessory too, by providing a substandard product with known problems they were only trying to hide.
If your security company is planting a 2 digits code that will unlock the door for their own use and someone enters using that code and steals your jewels and burns your house down to cover the tracks, they will have to pay at least in part for it.
LOL It makes zero sense what you just said and I **strongly **suggest you create another account for personal needs if you're going to be blurting stuff out like that. It makes me wonder what kind of people work for Prometheus.
The unfortunate thing is if he doesn't post the scripts there will be no urgency for the vendors to secure the code ASAP.
It is his personal account. What does working with Prometeus have anything to do with what he wishes to talk about? His username isnt Prometeus, or Prometeus-Mao.
It's called an academic discussion. People may have different personal opinions, that's why discussing is interesting. What makes zero sense to one guy makes a lot of sense to others.
Let's all dress sweatpants while handing out business cards.