Not again! Another website used by foreigners in Thailand suffers massive data breach

Phuketshrew · June 16, 2021

19 minutes ago, JamieM said:

1. The data was not restricted.

2. You are assuming whoever found the data breach, knowingly accessed the data.

Don't get your point. "Whoever" was Mr Barrow. He knowingly tampered with the website URL to gain access that was unauthorised. So I am assuming nothing.

elliss · June 16, 2021

4 hours ago, bino said:

Clap one hand if you are shocked and surprised by this.

With the other hand ....

JamieM · June 16, 2021

4 minutes ago, Phuketshrew said:

Don't get your point. "Whoever" was Mr Barrow. He knowingly tampered with the website URL to gain access that was unauthorised. So I am assuming nothing.

You are assuming a lot and your post demonstrates that perfectly.

asiacurious · June 16, 2021

2 hours ago, Phuketshrew said:

Had Mr Barrow had legal permission to perform the hack (as an Ethical Hacker) the correct course of action should have been to inform the owner of the website/database of the breach so that they could take immediate remedial action.

Seems as though his publishing of the information resulted in a pretty quick fix by immigration. Does anyone here think a quick fix would have happened had it not been made public? The current government isn't really know as being responsive to much of anything unless it's public (and even then, not so much).

Bad on immigration for having this data publicly accessible via a simple URL.

Good on immigration for immediately correcting the problem once it was made public. (Public being the key word here.)

Phuketshrew · June 16, 2021

16 minutes ago, JamieM said:

21 minutes ago, Phuketshrew said:

Don't get your point. "Whoever" was Mr Barrow. He knowingly tampered with the website URL to gain access that was unauthorised. So I am assuming nothing.

You are assuming a lot and your post demonstrates that perfectly.

I have assumed nothing. Mr Barrow stated that he tampered with the website URL to gain unauthorised access to data - See his Twitter post if you cannot comprehend that. I pointed out that this can be legally defined as hacking.

The legal definition of hacking is "Hacking is the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access".

It's quite obvious that you know very little about cyber security and/or hacking.

JetsetBkk · June 16, 2021

4 hours ago, Justgrazing said:

Hacks sake .. this is getting more than a little inconvenient now ..

Unable to run a bath comes to mind ..

More like a xxxx-up in a brewery.

JamieM · June 16, 2021

20 minutes ago, Phuketshrew said:

Mr Barrow stated that he tampered with the website URL to gain unauthorised access to data

No he didn't he said and I quote:

"The Immigration data breach is NOT a hack. All you have to do is change certain characters in the URL"

Show me where he states he did that? you cannot add or take away anything from what he stated.

Which is exactly what you are doing.

Which can also be described as ASSUMING.

20 minutes ago, Phuketshrew said:

I I pointed out that this can be legally defined as hacking.

The legal definition of hacking is "Hacking is the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access".

Ok I'm glad you were able to google the definition of hacking but the key points that you fail to grasp are as follows:

1. the data it was NOT RESTRICTED ( because they failed to secure it)

2. Hacking is "KNOWINGLY" gaining access to data.

Edited June 16, 2021 by JamieM

Phuketshrew · June 16, 2021

3 minutes ago, JamieM said:

10 minutes ago, Phuketshrew said:

I have assumed nothing. Mr Barrow stated that he tampered with the website URL to gain unauthorised access to data

No he didn't he said and a quote:

"The Immigration data breach is NOT a hack. All you have to do is change certain characters in the URL"

Show me where he states he did that? you cannot add or take away anything from what he stated.

Which you are doing by the way.

10 minutes ago, Phuketshrew said:

I I pointed out that this can be legally defined as hacking.

The legal definition of hacking is "Hacking is the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access".

The key points that you fail to get into your head is that.

1. the data it was not restricted.

2. Hacking is "KNOWINGLY" gaining access to data.

So just because Mr Barrow states that it is not a hack then that's OK then? ????

By definition, changing URL parameters to gain unauthorised data is hacking. I am sorry that you unable to grasp that, which again shows your lack of knowledge in the area of discussion.

I will not waste any more of my time with this discussion as you are clearly out of your depth.

JamieM · June 16, 2021

42 minutes ago, Phuketshrew said:

Mr Barrow. He knowingly tampered with the website URL to gain access that was unauthorised.

What you stated was not true.

1 minute ago, Phuketshrew said:

So just because Mr Barrow states that it is not a hack then that's OK then?

It's not a hack because it was not restricted because they didn't secure the data in the first place.

Is that so hard for you to understand?

tgw · June 16, 2021

5 minutes ago, Phuketshrew said:

So just because Mr Barrow states that it is not a hack then that's OK then? ????

By definition, changing URL parameters to gain unauthorised data is hacking. I am sorry that you unable to grasp that, which again shows your lack of knowledge in the area of discussion.

I will not waste any more of my time with this discussion as you are clearly out of your depth.

nope. no hacking.

definition of hacking is "the gaining of unauthorized access to data in a system or computer."

the operative word being "unauthorized"

since the data was accessible without any user authentication and without any access control, access was not "unauthorized".

it's a bit like when a 17 year old finds 18+ restricted material on a park bench. according to you, he should be punished.

Bkk Brian · June 16, 2021

Its actually termed as url hacking at least according to this article but its certainly not illegal.

Hacking a URL is the process of moving through a complex web site by playing directly with the address. Simply lop off the end of the address, in order to see whether the author has provided a table of contents page for a particular collection of web pages. (There’s nothing illegal or even very technical about what I mean by hacking a URL)

URL-hacking in Action

Sometimes URL-hacking is a simply quick way for impatient power-users to jump around within a website. At other times, regular users who stumble upon internal web pages with incomplete navigation systems will need to hack a URL in order to get anywhere at all (in order to determine whether a particular web page is worth citing in a research paper, or to figure out whom to contact for more information).

https://jerz.setonhill.edu/writing/e-text/url-hacking-do-it-yourself-navigation/

Edited June 16, 2021 by Bkk Brian

JamieM · June 16, 2021

Finally some people that get it have arrived, thank the lord ????

asiacurious · June 16, 2021

1 hour ago, Phuketshrew said:

Yes, it is possible to change a userID in a URL (which should not be displayed anyway) and retrieve another users data. I've done it under controlled conditions. But only if the developer has neglected security considerations and validation routines when the web site was created, which is the point that Mr Barrow was trying to make. Of course, most web developers worth their salt would never allow this to happen so there are still some places free in the world's jails.

My original point was that if he did this then it would be legally defined as hacking i.e. gaining unauthorised access to a system or data.

Except the government put the site out there for the public to view and access. It was as public as an flyer posted on a bulletin board at the local grocery offering a used car for sale.

As you point out, they could have hidden the information in the URL.

They could also have:

used SSL.
created user accounts requiring people to log in to view/access the system
said what authorized use of the system was in their "Rules of online appointment queue reservation" page (the one that requires that you agree). But there's nothing in there that says a user can't view the system!

Or they could have even left the system design just as it was, and only collected a person's first name and appointment time! Why did they need email, phone, first and last names, passport, date of birth....?

I used the system once and when I showed up with the confirmation in hand, they just looked at the paper to see what date and time it said my appoint was. That's it. They didn't use or verify anything else from it.

So again, why collect all that data and then treat it so cavalierly?

Phuketshrew · June 16, 2021

4 minutes ago, tgw said:

it's a bit like when a 17 year old finds 18+ restricted material on a park bench. according to you, he should be punished.

Nope. Nowhere did I state that "he should be punished".

JamieM · June 16, 2021

4 minutes ago, Phuketshrew said:

Nope. Nowhere did I state that "he should be punished".

You have been repeatedly making false accusations against the man, you even said he's pushing his luck and suggested the government could take "remedial action" which implies he's done something wrong.

If I were Mr Barrow I would be filing a defamation suit against you.

Phuketshrew · June 16, 2021

5 minutes ago, JamieM said:

You have been repeatedly making false accusations against the man, you even said he's pushing his luck and suggested the government could take "remedial action" which implies he's done something wrong.

If I were Mr Barrow I would be filing a defamation suit against you.

Remedial action to fix the web site - wasn't that obvious?

JamieM · June 16, 2021

1 minute ago, Phuketshrew said:

Remedial action to fix the web site - wasn't that obvious?

Well with the outright false assumptions / allegations you have made about Mr Barrow.

No, no it wasn't obvious.

tgw · June 16, 2021

13 minutes ago, Phuketshrew said:

Nope. Nowhere did I state that "he should be punished".

well, hacking being illegal, because it is "the gaining of unauthorized access to data in a system or computer", the direct conclusion of you calling Mr Barrow's actions "hacking" is that he should be punished by law.

luckily for Mr. Barrow, no hacking occured.

JamieM · June 16, 2021

Just now, tgw said:

well, hacking being illegal, because it is "the gaining of unauthorized access to data in a system or computer", the direct conclusion of you calling Mr Barrow's actions "hacking" is that he should be punished by law.

luckily for Mr. Barrow, no hacking occured.

Well said!

asiacurious · June 16, 2021

24 minutes ago, Phuketshrew said:

The legal definition of hacking is "Hacking is the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access".

It's quite obvious that you know very little about cyber security and/or hacking.

Let's look at that definition you posted, ignoring for the fact that legal definitions vary by place/jurisdiction.

The KEY word is "by". Hacking occurs IF you gain unauthorized use or access via a specific means, namely "by using or security vulnerabilities or bypassing usual security steps to gain access".

In order to use a security vulnerability or bypass usual security steps, there must be first be security!

There simply was NO security on the site. As I've already said, no SSL, no password, no nothing! Even you pointed out they didn't even hide the URL data.

You can't hack the security when there is no security to hack.

Phuketshrew · June 16, 2021

17 minutes ago, Bkk Brian said:

Hacking a URL is the process of moving through a complex web site by playing directly with the address. Simply lop off the end of the address, in order to see whether the author has provided a table of contents page for a particular collection of web pages. (There’s nothing illegal or even very technical about what I mean by hacking a URL)

Hi Brian,

Hacking a URL and website parameter manipulation are two slightly different methods. The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can. It seems that this method made it possible for other users data to be retrieved and displayed.

Bkk Brian · June 16, 2021

Here's an example of where I change the string of a url and I do this daily, why? Because for the life of me I can't find the page that has the links for the daily updates so instead I just change the date in the url

https://media.thaigov.go.th/uploads/public_img/source/160664.pdf

so for tomorrow I know that sometime after 2pm, the end of the url will be "/170664.pdf"

JetsetBkk · June 16, 2021

14 minutes ago, asiacurious said:

So again, why collect all that data and then treat it so cavalierly?

Have you looked at the back of your Immigration forms, recently.

(I did the "blanking out", for security purposes of course).

JamieM · June 16, 2021

2 minutes ago, Phuketshrew said:

The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can.

It seems that this method made it possible for other users data to be retrieved and displayed.

Show us your source evidence of website parameter manipulation occurring then?

Mr Barrow clearly stated "All you have to do is change certain characters in the URL"

Phuketshrew · June 16, 2021

3 minutes ago, Bkk Brian said:

Here's an example of where I change the string of a url and I do this daily, why? Because for the life of me I can't find the page that has the links for the daily updates so instead I just change the date in the url

https://media.thaigov.go.th/uploads/public_img/source/160664.pdf

so for tomorrow I know that sometime after 2pm, the end of the url will be "/170664.pdf"

I understand that Brian but you are not knowingly manipulating or changing any parameters.

Bkk Brian · June 16, 2021

3 minutes ago, Phuketshrew said:

Hi Brian,

Hacking a URL and website parameter manipulation are two slightly different methods. The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can. It seems that this method made it possible for other users data to be retrieved and displayed.

Yes I'm not that up to speed as I've never had the need to try that but assume you're correct

impulse · June 16, 2021

3 hours ago, JamieM said:

If it is visible on the clearnet it is not hacking.

So, if someone leaves the cash register open and I walk off with their money, is that still theft?

If he had to change aspects of the URL to see the data, that's a hack. Just because it was easy and an amateur could do it, doesn't mean it's not.

asiacurious · June 16, 2021

45 minutes ago, Phuketshrew said:

I have assumed nothing. Mr Barrow stated that he tampered with the website URL to gain unauthorised access to data - See his Twitter post if you cannot comprehend that. I pointed out that this can be legally defined as hacking.

The legal definition of hacking is "Hacking is the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access".

It's quite obvious that you know very little about cyber security and/or hacking.

So I just looked for the legal definition in Thailand. I got the following from this site: https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/thailand

Quote

Yes. The Computer Crime Act B.E. 2550 (2007) (“CCA”) provides that whoever illegally accesses a computer system that has specific security measures and such security measures are not intended for that person’s use shall be liable for imprisonment not exceeding six months and/or a fine not exceeding THB 10,000 (CCA, s.5).

and

Quote

Whoever illegally accesses computer data that has specific security measures which are not intended for that person’s use shall be liable for imprisonment not exceeding two years and/or a fine not exceeding THB 40,000 (CCA, s.7).

I may be beating a dead horse here, but the site had NO security measures. Not one.

But there is someone who should get in trouble over this whole thing.....

Quote

With regard to the personal data, the data processor and data controller are obligated under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) to provide appropriate security measures for preventing unauthorised or unlawful loss, access to, use, alteration, correction or disclosure of personal data. Failure to do so may result in an administrative fine of up to THB 3 million (PDPA, ss83 and 86).

Seems pretty clear that they FAILED to provide ANY security measures, and there should be an administrative fine levied against someone.

tgw · June 16, 2021

8 minutes ago, Phuketshrew said:

Hi Brian,

Hacking a URL and website parameter manipulation are two slightly different methods. The latter involves deliberately manipulating parameters, such as an ID field that are then submitted through http_methods to the server. This should not be allowed to happen but with lax security sometimes can. It seems that this method made it possible for other users data to be retrieved and displayed.

any HTML form data, including login data, is submitted by http_methods, namely get and post ... this "being allowed to happen" is not only normal, but also vital for websites to function.

the important things after that are data validation and user authentication, session management, the http_method used is irrelevant.

asiacurious · June 16, 2021

8 minutes ago, JetsetBkk said:

30 minutes ago, asiacurious said:

So again, why collect all that data and then treat it so cavalierly?

Have you looked at the back of your Immigration forms, recently.

(I did the "blanking out", for security purposes of course).

I know. It's shocking the insecurity that happens here. I know it's probably carelessness or perhaps something to do with culture.

Sometimes it almost seems intentional, but it always is reckless.

Not again! Another website used by foreigners in Thailand suffers massive data breach

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

snoop1130

phetphet

internationalism

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Announcements

Topics