0wnage of twitter bot from local Bosnia and Herz/RS ministry of cybersecurity

In free time, I stumbled accidentally to Github repo of current minister for cybersecurity and computer science (and 2 other things that I don't remember).

here: github - Srdjan Rajcevic

After 3 min review - I found "delete" credentials from SQLite DB. My first thinking was that cred is used for private profile - so I report to local CERT RS on this. The response the same day as case closed.

CERT response

But it was not. Keys did not delete or revoked. After 24h I checked

After reviewing what keys are used - I found it that was meant to be part of ex-CERT twitter bot for news. But it was never finished. Here is ex blog of the minister blog webarchive

Bot description

I make simple bot code in less than 30 sec (just google it for API and documentation)

Run with proper keys. Boom! ownage twitter bot has a half picture of minister

Also, I send DM to all followers to revoke bot keys. But up today - keys are not revoked. Also, all info is removed I guess it was hard to receive this kind of info especially if you are marked as someone who can protect the complete infrastructure of one government. removed info from the bot

And before this, I got blocked from the account minister for "cybersecurity" and 3 things I don't remember. My question on some topic hit him hard.

block

To sum all this: The bot was there for 3 years and no one from ex and current CERT was able to catch "leaked credentials" which wonder me - what would happen if we start to review the complete infrastructure of government? Yes, I don't have a penetration-tester agreement so this was closed to "hack a profile" of the minister. It was fun - not a hacking just joke with ppl. Take me no more than 5 min (3 to find + 1 read a review of bot + 1 for the PoC)

Do not leave cred in the open text - always encrypt. Use some strong encryption to protect your secret. Then do not share your secret in any way. Review your code.

Also, this reminds me like the 1999-2001 period when beginners code in C for IRC bots and they leave format string bug on some command and you print complete memory and get password/user for master user. That was a good time.

EPILOG: several people thank me on this because they did same mistake.


Related Posts

  • No related post found

Published by

Vladimir Cicovic

Vladimir Cicovic

Author: Vladimir Cicovic