Threat vector: Legacy static websites

Surely old HTTP-only sites can't be vulnerable if not updated for 5 years, right?

Posted on 2019-08-01

Get new posts by email (~ one email every couple of months & no spam)

A few weeks ago something happened that wouldn't change how a small company in Vienna thinks about security: My windshield cracked

Cracked Windshield on my 2001 Ford Focus

I just had it changed less than 6 months ago and it cracked again. Since I didn't want to pay the 300€ again I googled for cheaper alternatives and found a small car parts seller in Vienna that had my windshield for just 98€

Site of the car shop

While I was browsing for my new windshield and other parts I saw that some images didn't load right so I checked the console in my browser and saw that my ad blocker just blocked some piwik (now matamo) tracking script from another domain.

JS console of the site, blocking piwik

Just to be sure I disabled the ad blocker and reloaded the site to see if anything changed.

New error message

Hmm.. interesting.. the site seems to have some error and the tracking script can't be loaded.

Or.. could it be..

Yep, the site isn't even registered anymore

Sooo.. I bought the domain netdiscoverer.eu and now this site (and it turns out a whole bunch of others) are loading scripts from my domain.

Standard piwik code inclusion on the car shop's website

Now if somebody would be childish and would put these lines of code in a file called piwik.js the site would suddenly change.

document.body.style.backgroundColor = "red"
var imgs = document.getElementsByTagName("img");
for(var i=0, l=imgs.length;i<l;i++){
    imgs[i].src = "http://3.bp.blogspot.com/-KL7d7LdSANg/Tm5VLQf9k4I/AAAAAAAAACo/cSV52JoD7vk/s1600/cat-wallpaper-34-713472.jpg";
    };
alert("Please fix this site");

And would look a bit different

Bad code makes site look even worse

But since I'm a responsible IT security person I didn't do that.

Back to the windshield

In order to buy the windshield I had to make a down payment via their website. They have a button "Paypal down payment" where customers have to click which sends them to a paypal.me site where they have to pay and put their phone number to be called back.

PayPal site you get redirected to when you click the "Down payment" button

Oh boy anyone could have bought the netdiscoverer domain and redirected users to another site to pay. Glad I found it before anyone else did.

So I make the down payment, they call me back, I drive to their shop to pick it up and have a whole speech prepared about the importance of IT security and how to find good people to maintain websites, etc but reality got me off guard.

What did they say about this?

My new windshield in their shop!

I talked to the mechanic, gave them the rest of the money, they gave me the windshield and then I asked who was in charge of their website. He said it was their "IT freak" but he wasn't around.

I asked if I could get the phone number of the person in charge or if he could get them on the phone for me because their website has a massive flaw but it's easy to fix.

"So you hacked us? No, I won't give you the number."

-Mechanic

He said he won't give me the number of their IT person so I left my card and said it's very urgent, they should call me ASAP.

I packed my windshield and drove off slightly annoyed in their reaction.

Half a month later I still didn't get that call and their site is still loading scripts form my servers. You thought the 8th word in my first sentence of this post was a typo? Nope, this country (Austria) doesn't have any kind of urgency when it comes to IT security. I have learned that a few times already.

But at least my Focus has a new windshield


Comment using SSH! Info
ssh netdisc@ssh.blog.haschek.at


    Tags: netsec | websites

    1ChrisHMgr4DvEVXzAv1vamkviZNLPS7yx
    0x1337C2F18e54d72d696005d030B8eF168a4C0d95