Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In 2015ish PIA got hacked via https://old-support.privateinternetaccess.com because of https://classichelp.kayako.com/hc/en-us/articles/36000646089... and never told anyone.

This bug loudly announces itself on every pageload, it speaks of tremendous incompetence that they ever let this go into production.

The site used to set a cookie that looked like this:

  Set-Cookie: SWIFT_client=a%3A1%3A%7Bs%3A15%3A%22templategroupid%22%3Bs%3A1%3A%221%22%3B%7D; expires=Wed, 28-Dec-2016 23:24:13 GMT; path=/; httponly
Obvious PHP object injection vulnerability that should've been caught by any automated auditing tool.


While the helpdesk software PIA used to use years ago did have that potential vulnerability, fortunately, Private Internet Access never exposed the support desk via plain http, and therefore, PIA itself did not have the vulnerability in its helpdesk.


Hahahaha, this bug was perfectly exploitable via TLS wrapped HTTP (so HTTPS, which is still HTTP as far as the PHP application is concerned).

The SWIFT_client cookie gets passed directly into unserialize(), TLS has literally nothing to do with this.

FWIW rasengan is one of the PIA founders, he should know much better.

This response is so utterly silly I must wonder if this is all just an incredible display of incompetence instead of malice.


Sorry, I glanced at the link you pasted and wrote the response as I knew this was a non issue from the past.

So, I spoke with our internal team and was able to find more details:

- We haven't used that machine since that exploit was made public.

- We were never exploited.

- There was no sign of intrusion of any kind.

- The specific machine was a backup helpdesk test server without any real user data.

Thanks again for bringing this up!


>- We haven't used that machine since that exploit was made public.

So what? You were exploited before kayako patched this bug, it was glaringly obvious to anyone who ever looked at the cookies set by your site.

>- We were never exploited.

This simply isn't true, either you're misinformed or lying.

>- The specific machine was a backup helpdesk test server without any real user data.

The specific machine (Which you took down really fast after I pointed it out! :P) I linked probably did not even exist in 2015, I was talking about your prod env.

I don't have a horse in this race, there's no incentive for me to lie about this. I know what you are saying isn't true.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: