Technical Insight-Vulnerabilities-WhiteHat HackerKast

#HackerKast 22: PCI says SSL is Dead, Delete all photos on Facebook, 10 million passwords leaked, Pinterest bans affiliate links, Jeb Bush Facepalm, 40,000 Vulnerable MongoDB instances, Russia Bans VPN & Tor

Hey everybody! Welcome to this week’s HackerKast – Episode 22! We are Jeremiahless again this week so it is just Robert and myself covering a ton of news!

Some big news came out of PCI land this week where they are announcing that no form of SSL is good enough anymore. TLS or bust apparently to pass PCI compliance. This is pretty huge and will really force a lot of people to shape up or ship out. It also brings up some interesting points about hard breaking a portion of websites for the greater good of the Internet, which has been a contentious debate lately especially with browser vendors. For those interested in the future of SSL/TLS on the web, one of the best talks I saw last year was by Brian Sniffen of Akamai who is part of the team working on implementing TLS 1.3. Highly recommend you watch the talk: Here.


Next, we always like talking about interesting bug bounty disclosures & payouts, and this one from Facebook fit the bill. A researcher was awarded $12,500 for a nice bug where by he proved he could delete any photo album on Facebook he had access to. By access I mean, any public photo album or one that was of his friends that he had permission to see. Was a pretty simple DELETE request sent without any authorization checks at all that would just process the deletion of the entire photo directory.


Robert found a story about a juicy list of usernames and passwords that were dumped publicly. The researcher posted a list of 10 million, yes million with an M, username/password combinations. This is a huge list and we aren’t clear where they came from. The person who posted this was clearly concerned for their safety from law enforcement on this.

Moving along, Pinterest dropped a bomb this week that it was banning affiliate links, redirects, and trackers site wide. This seems to be in a war against spam and scams on it’s site but has some real user repercussions that they will most likely get kick back from. We always love the moves by big websites to make decisions that will hurt users for the short term but make them more secure in the long term.


We couldn’t get away with not laughing about the facepalm of the week brought to us by Jeb Bush. He decided it would be a good idea to post the entirety of his email from the late 90s, early 2000s while he was governor. This was under the guise of being as transparent as possible but had the unintended consequence of publishing TONS of sensitive information about people who wrote to him. Addresses, telephone numbers, etc. of people writing to their Governor but Robert also found tons of politically sensitive stuff that probably shouldn’t be out there. Under 1 TB of emails is out there forever now though.

MongoDB is a hot topic among a lot of technology circles nowadays but has had some limited security rumblings about it. As these types of databases get more popular we are bound to find some serious security issues. This week somebody used the power of Shodan to find 40,000 vulnerable MongoDB instances floating around on the Internet at large. There was no real vulnerability in MongoDB disclosed here, just some serious omissions in a lot of popular documentation which didn’t lead people to put any sort of access control or encrypted communications in place. Roberts lesson of the day here is use at least *some* security when installing things.

Lastly we let Robert talk about a few of his favorite things again, Russia and Tor. At least it wasn’t China right? Anyway, it looks like Russia is proposing a ban on all VPN services and the use of Tor country wide. This would be an interesting move for an entire country to say the least. The other notable piece to this puzzle is that these bans would of course be avoidable but it would make it much more inconvenient to use these services. The Internet finds a way though.

Thanks for listening everybody! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


Some guy figured out how to delete “every” photo on Facebook

Pintrest Bans Affiliate Links, Redirects and Trackers Across Entire Site

40,000 MongoDB Instances Found Open and Vulnerable

Ten Million Passwords

Jeb Bush Email Dump

PCI considers SSL Dead”>

Russian Ban on VPNs and Tor

Notable stories this week that didn’t make the cut:

Lawmakers Call for Investigation on Verizon SuperCookies

NSA may be Trolling You

Tags: Tor