Jimmy's Blog Jimmy Ruska's Blog
Singles.org gets hacked Posted on Monday, February 23 2009

Note: I'm publishing this now because it looks like all passwords have been reset and new accounts are being deleted. I had made a few dummy accounts for testing.

Update: See my analysis of the most common passwords from singles.org and other hacked databases.

The Christian singles site claiming 30,000 members, singles.org, has recently gotten hacked. I don't even know if I can even call it that. Apparently whoever designed the site didn't know anything about authentication and sessions. The site does not use cookies. At all. It checks if you're logged in by checking your (spoofable) http referrer and checks your ID via the query string for EVERY request you make that requires authentication. Given your user id is just "cscp" plus the auto_increment id in the database, it's really easy to change your identity or even loop through their entire database. It's not something simple they can patch up because they structured the ENTIRE SITE without using any proper form of authentication. Despite this they haven't shut the site down or even put a notice on their site saying what had happened. They applied the absurd quick fix of checking the http referrer now but at the least they reset their users passwords to something randomized.

Singles.org's horrible programming accomplished the worst case senario; In the site's edit-your-profile section it contains the plain-text password and email information. Since many people use the same password for everything 4chan was having a field day going through their emails and sub-accounts. Several threads in 4chan today have posts showing images of vandalized goatse'ed facebook/myspace accounts. They've also been getting into people's email accounts and sending messages to everyone in the address book saying: I'm going to kill myself, I have HIV, and I've converted to islam. A few people have gone so far as to post screen shots of them using their amazon accounts and paypal accounts to purchase things like vibrators. I don't really know who initially found the 'exploit' but since singles.org has been around forever it's possible the trolling has been going on for a long time before it reached the general trolling communities of the internet.

Update:

Singles.org sent out emails saying they changed peoples passwords as a 'maintenance', instead of warning its users to immediately change the passwords to all their accounts. Meanwhile the problem was not fixed and more and more screenshots have been appearing.

Moral of the Story

  1. Use different passwords for your email.
  2. Use a throw away email address for forums and random sites.
  3. Praying/Church does not protect you against trolling

Assume no site is safe

Big sites like monster.com (multiple times), kaspersky.com, bitdefender.com, stage6, ... have gotten their database hacked. Many huge sites have gotten backup hard drives stolen. The worst hacks are the ones nobody noticed. Recently yahoo had a xss exploit that's been on one of its subdomains for who knows how long stealing cookies, from which they can further steal passwords from people with yahoo mail. phpbb.com also got hacked fairly recently with the hacker putting the entire user database on p2p networks like thepiratebay.




Tags: ebaums hacks singles.org, ebaumsworld, ebaumsworld hacked, operation jesus, 4chan singles.org, database, torrent, rapidshare, megaupload, hackers, christian singles, lol4chan, white knight, db.singles.org, 4 chan, anonymous, encyclopediadramatica, encyclopedia dramatica



stumble digg delicious


Blog by Jimmy Ruska
Add me: Youtube, Twitter, Facebook, MySpace

Share:

More OMFG-Good Links

See all Posts in the Funny Pictures category.
Download mp3s faster than limewire using google.
I've made 100+ free video tutorials.
See the best of the internet today on one page.