Jump to content

Not again! Another website used by foreigners in Thailand suffers massive data breach


Recommended Posts

Posted
19 minutes ago, JamieM said:

1. The data was not restricted.

 

2. You are assuming whoever found the data breach, knowingly accessed the data.

Don't get your point.  "Whoever" was Mr Barrow. He knowingly tampered with the website URL to gain access that was unauthorised. So I am assuming nothing. 

  • Sad 2
Posted
4 hours ago, bino said:

Clap one hand if you are shocked and surprised by this.

 

       With the other hand ....

Posted
4 minutes ago, Phuketshrew said:

Don't get your point.  "Whoever" was Mr Barrow. He knowingly tampered with the website URL to gain access that was unauthorised. So I am assuming nothing. 

You are assuming a lot and your post demonstrates that perfectly.

  • Like 1
Posted
2 hours ago, Phuketshrew said:

Had Mr Barrow had legal permission to perform the hack (as an Ethical Hacker) the correct course of action should have been to inform the owner of the website/database of the breach so that they could take immediate remedial action.

 

Seems as though his publishing of the information resulted in a pretty quick fix by immigration.  Does anyone here think a quick fix would have happened had it not been made public?  The current government isn't really know as being responsive to much of anything unless it's public (and even then, not so much).


Bad on immigration for having this data publicly accessible via a simple URL.

Good on immigration for immediately correcting the problem once it was made public.  (Public being the key word here.)

  • Like 2
Posted
16 minutes ago, JamieM said:
21 minutes ago, Phuketshrew said:

Don't get your point.  "Whoever" was Mr Barrow. He knowingly tampered with the website URL to gain access that was unauthorised. So I am assuming nothing. 

You are assuming a lot and your post demonstrates that perfectly.

I have assumed nothing. Mr Barrow stated that he tampered with the website URL to gain unauthorised access to data - See his Twitter post if you cannot comprehend that.  I pointed out that this can be legally defined as hacking.

 

The legal definition of hacking is "Hacking is the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access".

It's quite obvious that you know very little about cyber security and/or hacking.

 

  • Haha 1
Posted
4 hours ago, Justgrazing said:

Hacks sake .. this is getting more than a little inconvenient now .. 

Unable to run a bath comes to mind ..

 

More like a xxxx-up in a brewery.

  • Like 1
Posted
3 minutes ago, JamieM said:
10 minutes ago, Phuketshrew said:

I have assumed nothing. Mr Barrow stated that he tampered with the website URL to gain unauthorised access to data

No he didn't he said and a quote:

 

"The Immigration data breach is NOT a hack. All you have to do is change certain characters in the URL"

 

Show me where he states he did that? you cannot add or take away anything from what he stated. 

 

Which you are doing by the way.

 

10 minutes ago, Phuketshrew said:

I I pointed out that this can be legally defined as hacking.

 

The legal definition of hacking is "Hacking is the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access".

The key points that you fail to get into your head is that.

 

1. the data it was not restricted.

 

2. Hacking is "KNOWINGLY" gaining access to data.

So just because Mr Barrow states that it is not a hack then that's OK then? ????

By definition, changing URL parameters to gain unauthorised data is hacking. I am sorry that you unable to grasp that, which again shows your lack of knowledge in the area of discussion.

I will not waste any more of my time with this discussion as you are clearly out of your depth.

  • Confused 3
  • Sad 1
  • Haha 1
Posted
4 minutes ago, tgw said:

it's a bit like when a 17 year old finds 18+ restricted material on a park bench. according to you, he should be punished.

Nope. Nowhere did I state that "he should be punished". 

  • Confused 1
  • Sad 2
Posted
4 minutes ago, Phuketshrew said:

Nope. Nowhere did I state that "he should be punished". 

You have been repeatedly making false accusations against the man, you even said he's pushing his luck and suggested the government could take "remedial action" which implies he's done something wrong.

 

If I were Mr Barrow I would be filing a defamation suit against you.

  • Haha 2
Posted
5 minutes ago, JamieM said:

You have been repeatedly making false accusations against the man, you even said he's pushing his luck and suggested the government could take "remedial action" which implies he's done something wrong.

 

If I were Mr Barrow I would be filing a defamation suit against you.

Remedial action to fix the web site - wasn't that obvious? 

Posted
1 minute ago, Phuketshrew said:

Remedial action to fix the web site - wasn't that obvious? 

Well with the outright false assumptions / allegations you have made about Mr Barrow.

 

No, no it wasn't obvious.

  • Like 1
Posted
13 minutes ago, Phuketshrew said:

Nope. Nowhere did I state that "he should be punished". 

 

well, hacking being illegal, because it is "the gaining of unauthorized access to data in a system or computer", the direct conclusion of you calling Mr Barrow's actions "hacking" is that he should be punished by law.

luckily for Mr. Barrow, no hacking occured.

  • Like 2
Posted
Just now, tgw said:

 

well, hacking being illegal, because it is "the gaining of unauthorized access to data in a system or computer", the direct conclusion of you calling Mr Barrow's actions "hacking" is that he should be punished by law.

luckily for Mr. Barrow, no hacking occured.

 

Well said!

  • Like 1
Posted
17 minutes ago, Bkk Brian said:

Hacking a URL is the process of moving through a complex web site by playing directly with the  address.  Simply lop off the end of the address, in order to see whether the author has provided a table of contents page for a particular collection of web pages. (There’s nothing illegal or even very technical about what I mean by hacking a URL)

Hi Brian,

Hacking a URL and website parameter manipulation are two slightly different methods. The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can. It seems that this method made it possible for other users data to be retrieved and displayed.

  • Like 1
Posted
14 minutes ago, asiacurious said:

So again, why collect all that data and then treat it so cavalierly?

 

Have you looked at the back of your Immigration forms, recently.

 

(I did the "blanking out", for security purposes of course).

 

603803158_RussianPassport.JPG.ddeb66bece18a4d9edbaef1dce187988.JPG

  • Like 2
  • Sad 1
Posted
2 minutes ago, Phuketshrew said:

The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can.

It seems that this method made it possible for other users data to be retrieved and displayed.

Show us your source evidence of website parameter manipulation occurring then?

 

Mr Barrow clearly stated  "All you have to do is change certain characters in the URL"

Posted
3 minutes ago, Bkk Brian said:

Here's an example of where I change the string of a url and I do this daily, why? Because for the life of me I can't find the page that has the links for the daily updates so instead I just change the date in the url

 

https://media.thaigov.go.th/uploads/public_img/source/160664.pdf

 

so for tomorrow I know that sometime after 2pm, the end of the url will be  "/170664.pdf"

I understand that Brian but you are not knowingly manipulating or changing any parameters.

  • Haha 2
Posted
3 minutes ago, Phuketshrew said:

Hi Brian,

Hacking a URL and website parameter manipulation are two slightly different methods. The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can. It seems that this method made it possible for other users data to be retrieved and displayed.

Yes I'm not that up to speed as I've never had the need to try that but assume you're correct

Posted
3 hours ago, JamieM said:

If it is visible on the clearnet it is not hacking.

 

So, if someone leaves the cash register open and I walk off with their money, is that still theft?

 

If he had to change aspects of the URL to see the data, that's a hack.  Just because it was easy and an amateur could do it, doesn't mean it's not.

 

  • Thanks 1
Posted
8 minutes ago, Phuketshrew said:

Hi Brian,

Hacking a URL and website parameter manipulation are two slightly different methods. The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can. It seems that this method made it possible for other users data to be retrieved and displayed.

 

any HTML form data, including login data, is submitted by http_methods, namely get and post ... this "being allowed to happen" is not only normal, but also vital for websites to function.

the important things after that are data validation and user authentication, session management, the http_method used is irrelevant.

 

 

  • Like 2
Posted
8 minutes ago, JetsetBkk said:
30 minutes ago, asiacurious said:

So again, why collect all that data and then treat it so cavalierly?

 

Have you looked at the back of your Immigration forms, recently.

 

(I did the "blanking out", for security purposes of course).

 

I know.  It's shocking the insecurity that happens here.  I know it's probably carelessness or perhaps something to do with culture.

 

Sometimes it almost seems intentional, but it always is reckless.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.




×
×
  • Create New...