Not again! Another website used by foreigners in Thailand suffers massive data breach

[tgw]

7 minutes ago, impulse said:

So, if someone leaves the cash register open and I walk off with their money, is that still theft?

 

If he had to change aspects of the URL to see the data, that's a hack.  Just because it was easy and an amateur could do it, doesn't mean it's not.

 

Your analogy is not accurate.

 

And no, changing URL parameters is not a hack.

 

People who aren't programmers should refrain from trying to explain what "hacking" is, or soon we will end up with more nonsensical internet laws.

[Phuketshrew]

12 minutes ago, impulse said:

If he had to change aspects of the URL to see the data, that's a hack. 

Exactly.

 

[JamieM]

1 minute ago, Phuketshrew said:

Exactly.

 

wrong again

[impulse]

4 minutes ago, JamieM said:

wrong again

 

You're confusing a hack with an illegal hack.

 

[JamieM]

3 minutes ago, impulse said:

 

You're confusing a hack with an illegal hack.

 

The poster has made it clear he is not talking about a legal hack.

 

 

Context is important this is his original post below:

 

Quote

Gaining unauthorised access to any system and its data is, by definition, HACKING. Whether he used website parameter hacking, CSS, CSRF, or SQL injection is irrelevant. He has gained unauthorised access to the database, retrieved data and published the fact. 

 

[asiacurious]

12 minutes ago, Phuketshrew said:

22 minutes ago, impulse said:

If he had to change aspects of the URL to see the data, that's a hack. 

Exactly.

Now you're just ignoring your own definition of hacking!  By your own definition, there was no hacking!

 

 

[impulse]

2 minutes ago, asiacurious said:

Now you're just ignoring your own definition of hacking!  By your own definition, there was no hacking!

 

Let's look at Dictionary.com...  Underlining is my emphasis...

 

Computers.

to modify (a computer program or electronic device) or write (a program) in a skillful or clever way:

• Developers have hacked the app.
• I hacked my tablet to do some very cool things.

to circumvent security and break into (a network, computer, file, etc.), often with malicious intent:

• Criminals hacked the bank's servers yesterday.
• Our cybersecurity team systematically hacks our network to find vulnerabilities.

White hat hacks are still hacks.  He entered the website in a manner not intended by the developer.  To do that, he manipulated the URL.  That's a hack.  Not a very sophisticated one, for sure.

[moldresistant]

Putting the term hacking aside, I think the responsible course of action here would be to inform this issue to Bangkok Immigration directly. That way the problem can be solved without inviting more bad actors to harvest data. However, if there was no response after repeated attempts at communication, going public may have been necessary.

[RichardColeman]

 

7 hours ago, snoop1130 said:

On Tuesday, the Thai government released a statement to explain the issue on the Intervac website had been resolved after being caused by a “temporary glitch” and was now working again.

[asiacurious]

29 minutes ago, impulse said:

 

Let's look at Dictionary.com...  Underlining is my emphasis...

 

Computers.

to modify (a computer program or electronic device) or write (a program) in a skillful or clever way:

• Developers have hacked the app.
• I hacked my tablet to do some very cool things.

to circumvent security and break into (a network, computer, file, etc.), often with malicious intent:

• Criminals hacked the bank's servers yesterday.
• Our cybersecurity team systematically hacks our network to find vulnerabilities.

White hat hacks are still hacks.  He entered the website in a manner not intended by the developer.  To do that, he manipulated the URL.  That's a hack.  Not a very sophisticated one, for sure.

 

Where the claim of hacking fails ALL of the definitions of hacking that have been offered, including the definition that I provided based on the actual laws in Thailand about hacking (this post),  is with the circumventing of security.

 

The site had NO security.

 

If the site admin/developer had used an SSL cert then there could be a claim that the site had at least some kind of security.  Though even that would simply be security to prevent man in the middle snooping/hacking.   Changing a URL would not be circumventing SSL security.

 

The admin/developer needed to have something set up to secure the data in order for there to be someone for a person to circumvent/hack!

[Rampant Rabbit]

12 hours ago, bino said:

Clap one hand if you are shocked and surprised by this.

I  did,  around the head  of  immigrations  face, I neve r use these  apps  in fact never  use  any phone  apps, rarely  turn the phone on.

[Destiny1990]

How safe are our millions of ID photocopies, copy bank statements full home adresses that they collected u think?

[lavender19]

13 hours ago, RotBenz8888 said:

Let me guess, the developer was updating the system... ? 

No.  He was having his nappy changed

[BEngBKK]

Maybe Thailand should offer permanent resident for people that find data breach'es in Thailand 4.0.

It sure look like Thailand 4.0 need all the help they can get...



 

[tonysilly]

Sir, maybe we should ask Farangs to help us with the web site?? What !! No way! No Thais where hurt during the Breach.  Mai Pen Rai 555

[condobrit001]

If you discover that it is possible to look inside a neighbours bedroom with a telescope, this is illegal. So the correct course of action would be to refrain from looking and discreetly inform that neighbour to close their curtains, NOT to tell the whole street that the view is on offer!

[metisdead]

A post using emoticons only as a reply has been removed.

[BestB]

Everything going according to plan, just ask Anutin ????

[Damrongsak]

12 hours ago, connda said:

These people have no idea how to develop code.  They are literally back in the 1990s in their web development practices.
I jokingly said awhile back that contracts to produce Thai government websites like this one are given to some big-wigs kid or nephew in university.  Now I'm betting I'm not far off.  No date security at all.

Lax security.  My son is buddies with one of the few internet key holders - the folks who control the domain name system security.  Serious business. 

[inThailand]

I hope someone makes a TV series about all this. Netflix your missing out on a great comedy show. 

[rwill]

When you click on the new 'report bug' button on the Thailandintervac site it says at the bottom:

 

"Some bugs on the websites may not safe for other, So please report us immediately and don't share it to public that would help."

 

They might get upset with Richard for sharing it to the public.  Of course it does also say 'So please report us immediately' not 'So please report it to us immediately"

[kwak250]

I think you have very high expectations ta think that a high school student could write a script for this or to even be bothered .

[Damrongsak]

2 minutes ago, rwill said:

When you click on the new 'report bug' button on the Thailandintervac site it says at the bottom:

 

"Some bugs on the websites may not safe for other, So please report us immediately and don't share it to public that would help."

 

They might get upset with Richard for sharing it to the public.  Of course it does also say 'So please report us immediately' not 'So please report it to us immediately"

He did report them immediately in a manner of speaking.  To the rest of the world.

[ukrules]

15 hours ago, J Town said:

But is this really a surprise?

 

No, it is not a surprise, not at all.

 

[BEngBKK]

Hack or not hack... Thai authorities will decide if it is a hack or not and act accordantly to that (to avoid losing face - In their mind)



 

[jacko45k]

8 hours ago, impulse said:

 

You're confusing a hack with an illegal hack.

 

Going into the address bar and simply editing the URL is not a hack and not an illegal action  

[animatic]

Run by the same folks trying to route all internet traffic through government monitoring servers in Bangkok to prevent Thais from seeing stuff Paternalistic Big Somchai doesn’t want them seeing because it embarrasses their self image.

The government internet comprehension and computing resources are truly 3rd world. Not so much the criminal class of course. The major embarrassment is continuous government own goals.

[Fex Bluse]

12 hours ago, Phuketshrew said:

I think Mr Barrow is pushing his luck with publicising these data breaches. Gaining unauthorised access to any system and its data is, by definition, HACKING. Whether he used website parameter hacking, CSS, CSRF, or SQL injection is irrelevant. He has gained unauthorised access to the database, retrieved data and published the fact. Had Mr Barrow had legal permission to perform the hack (as an Ethical Hacker) the correct course of action should have been to inform the owner of the website/database of the breach so that they could take immediate remedial action.

 

He's doing the right thing. The Thais would not react unless they publicly lose face. That's how it works here. 

[hotchilli]

15 hours ago, snoop1130 said:

For the second time in as many days, an official website used by foreigners in Thailand has purportedly suffered a data breach.

The digital hub of Asia... can't even secure a web-site.

 

[mtls2005]

The recently ammended Computer Crimes Act (2017) is extremely broad, and can be used to charge pretty much anyone (who is deemed an enemy of the state) with anything remotely connected to a phone/pc and the interwebs.

 

If a student protester or a rival party member had done this, well, they'd be toast.

 

 

Personally my issue is with the insecure system(s), rather than how this was exposed. Without this sort of public shaming this would have gone on for months or years more.

 

Will be interesting to watch as Thai folks exploit these sorts of security issues on Thai websites, and expose the shenanigans of the the various PtB.