Not again! Another website used by foreigners in Thailand suffers massive data breach

[bert bloggs]

1 hour ago, Mr Meeseeks said:

My companies have government contracts so from my experience you are most likely correct. 

 

So much nepotism goes on that most expats are not aware of, it would shock even the most cynical on this forum.

 

If you understand how the Thais operate, business becomes a lot easier for us as foreigners though, outwith having a niche that is. Having a niche and understanding the Thai way of doing business is the best way to running a successful enterprise. 

 

Try to meet Thais in your target industry first and think of how your business can benefit them, then make your business plan accordingly. ????

If you want to hear about nepotism ,my nephew here in Thailand can tell you about his job.????????

Edited June 17, 2021 by bert bloggs

[asiacurious]

10 minutes ago, rabas said:

 

But, was it illegal to film them without their consent and post it on the internet for all to see?

 

 

Good question!  I'd suggest that such an action was not only not illegal, it was also morally justified in order to warn others and secure a prompt resolution.

 

Another person above mentioned that they had already heard about the immigration site issue weeks ago from someone else, so it's not like it was unknown to anyone else.

[DirtyFarang]

Immigration has always breached the security of the people with whom it deals.  I ALWAYS use used paper (back side used up) for EVERY form I file there to prevent them from re-using my paper.  I cannot tell you how many times I have gotten back things like my 90 report slip with somebody else's passport printed on the back!

 

There is zero privacy security with these people.

[SiSePuede419]

13 hours ago, JamieM said:

Yeh but it's not though:

 

1. The data was not restricted.

That's like saying the keys were in the car so I didn't steal it. 

 

Access to driving the car off was not restricted, therefore it wasn't a crime, all right? ????

 

Edited June 17, 2021 by SiSePuede419

[Speedhump]

17 hours ago, tgw said:

this will require some more "thaisplaining"

 

let's see...

"it's a service provided for foreigners"

"we were updating the system"

"it was for less than 5 minutes"

 

 

obviously, this is not the case, as it's not possible to register or login.

'Thaisplaining' is good, I'm stealing that! 

[fdsa]

12 hours ago, tgw said:

And no, changing URL parameters is not a hack.

 

imagine the URL is

bangkokimmigration.com/?userid=12345

 

is changing the URL parameter "userid" to 12344 is a hack?

bangkokimmigration.com/?userid=12344

 

is changing the URL parameter "userid" to something more complex is a hack?

bangkokimmigration.com/?userid=12344' AND SELECT username,email,password FROM users --

 

technically both examples ARE a hack because even in the first example you've gained the information you was not expected to see - your own user ID is 12345, and you should not see information intended for user 12344.

More tech-savvy guys would argue that the first example is not "real" hacking but a web programmer's idiocity, and I somewhat agree with that. However as government guys are usually not tech-savvy and don't see a difference between above examples I expect Richard Barrow to be punished for hacking.

[BKKBike09]

12 hours ago, JamieM said:

You have been repeatedly making false accusations against the man, you even said he's pushing his luck and suggested the government could take "remedial action" which implies he's done something wrong.

 

If I were Mr Barrow I would be filing a defamation suit against you.

I think he is pushing his luck. Of course making the issue public has led to it getting fixed. But he's also damaging the reputation of the Immigration Department. You can laugh if you like, but you've mentioned defamation: defamation in Thailand can be both a civil and criminal matter. More pertinently, a public statement does not have to be untrue to qualify as defamation here. 

 

Thailand also recently enacted strict Personal Data Protection legislation. Again, you can laugh, but it's law now and, just like the Computer Crime Act, is lurking there in the background. Richard Barrow may have a high enough profile to confer a certain level of restraint from the authorities, but I wouldn't do what he's done. 

 

I believe he has good contacts with Immigration so why not use that back channel to say "guys, you've got a big problem here, please fix it". If nothing happened then maybe he could blog about the issue for all to see. I wouldn't be surprised if he's had a phone call thanking him for exposing the problem but requesting that, in future, he contact the appropriate authorities first etc etc

 

 

 

 

 

 

 

 

 

[ThaiFelix]

I keep flashing to images of them going to the moon hahahaha!

[Colabamumbai]

Failed state looks for foreign takeover. 

[asiacurious]

5 minutes ago, fdsa said:

 

imagine the URL is

bangkokimmigration.com/?userid=12345

 

is changing the URL parameter "userid" to 12344 is a hack?

bangkokimmigration.com/?userid=12344

 

is changing the URL parameter "userid" to something more complex is a hack?

bangkokimmigration.com/?userid=12344' AND SELECT username,email,password FROM users --

 

technically both examples ARE a hack because even in the first example you've gained the information you was not expected to see - your own user ID is 12345, and you should not see information intended for user 12344.

More tech-savvy guys would argue that the first example is not "real" hacking but a web programmer's idiocity, and I somewhat agree with that. However as government guys are usually not tech-savvy and don't see a difference between above examples I expect Richard Barrow to be punished for hacking.

 

Security must be present in order for someone to have something to hack.  By every definition of what hacking is posted in this forum, including the Thai government's own definition, there must be security in place in order for the security to be circumvented.

 

There was no security.

 

- No SSL

- No Login

- No URL hiding

- No nothing

 

I guess this will become my standard answer to those who keep claiming there was some kind of hack involved.

 

 

 

[hansnl]

17 hours ago, Excel said:

I would believe anything is possible when tin pot soldiers run a country for it's own ends.

Do some research and enjoy the "mistakes' made by governments from countries all over the world in dealing with and storing of data.

How would you call these governments?

And surely you don't think the "leaders" of your own country are doing things for you?

 

[fdsa]

9 minutes ago, asiacurious said:

 

Security must be present in order for someone to have something to hack.  By every definition of what hacking is posted in this forum, including the Thai government's own definition, there must be security in place in order for the security to be circumvented.

 

There was no security.

 

- No SSL

- No Login

- No URL hiding

- No nothing

 

I guess this will become my standard answer to those who keep claiming there was some kind of hack involved.

 

 

 

you are so good at describing things, would you be this guy's advocate in the court?

 

https://robdyke.com/howto-disclose/started   

 

https://robdyke.com/howto-disclose/cma

[Excel]

1 hour ago, hansnl said:

Do some research and enjoy the "mistakes' made by governments from countries all over the world in dealing with and storing of data.

How would you call these governments?

And surely you don't think the "leaders" of your own country are doing things for you?

 

So you work for the Thai government and/or act as an apologist for them, good to know for future reference and trust all TVF members take note

Edited June 17, 2021 by Excel

[Mr Meeseeks]

4 hours ago, Russell17au said:

Australian organisations notified the Office of the Australian Information Commission (OAIC) of 539 data breaches in the last six months of 2020, bringing the yearly total to 1051.

https://ia.acs.org.au/article/2021/australia-had-1051-data-breaches-in-2021.html

These include all the banks in Australia, Centrelink (social security), Dept of Immigration and Border Patrol plus many private companies. How many breaches has there been in America or UK or Europe?

 

Of the 539 breaches occurring between July and December last year, the number of incidents caused by human error increased by nearly 20 per cent, according to the Notifiable Data Breaches report.

Data breaches caused by human error tend to be simple mistakes such as sending personal information to the wrong email recipient, unintentionally disclosing the information, or simply forgetting to use BCC in a mass email – as the Department of Foreign Affairs and Trade did when sending bulk communications to Australian travelers stuck overseas last October.

Excellent whataboutery again, fantastic stuff and well researched. I score that one a 9/10 because it was Australia and not a proper country like the US or UK. 

 

4 hours ago, sandyf said:

Not again, another thread of whinging by the malcontents. Data breaches happen and it is certainly not unique to Thailand as many would make out. Grow up and learn to live with it.

 

Most breaches occur in North America. It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion.^[1][2] It is estimated that in first half of 2018 alone, about 4.5 billion records were exposed as a result of data breaches.^[3] In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.^[4]

^{https://en.wikipedia.org/wiki/List_of_data_breaches} 

Solid whataboutery again, had to dock some marks because of the wikipedia link but other than that a top effort. 8/10

[asiacurious]

1 hour ago, fdsa said:

you are so good at describing things, would you be this guy's advocate in the court?

 

https://robdyke.com/howto-disclose/started   

 

https://robdyke.com/howto-disclose/cma

It sounds like he found a book sitting on a bookshelf in a public library and looked at the book.  He saw that the book contained private information that should never have been in a book on bookshelf that anyone could access.

 

He was under no obligation to tell the librarian about the book (although at some point he may have had an affirmative duty to do so) but he elected to do so.

 

An interesting hypothetical (to me) is what to do if the library has a history of carelessly doing this sort of thing.  If it happened once, maybe the library can excuse it away, like by saying the book was only there for 10 minutes while they were doing maintenance work in the back room.  But what if it happens repeatedly?

[Mr Meeseeks]

2 minutes ago, asiacurious said:

An interesting hypothetical (to me) is what to do if the library has a history of carelessly doing this sort of thing.  If it happened once, maybe the library can excuse it away, like by saying the book was only there for 10 minutes while they were doing maintenance work in the back room.  But what if it happens repeatedly?

It has happened repeatedly with Thai Immigration as I have evidenced earlier.

[Bobydog]

20 hours ago, Justgrazing said:

Hacks sake .. this is getting more than a little inconvenient now .. 

Unable to run a bath comes to mind ..

Make sure to wear your mask!

[Litlos]

If I recall correctly the problem with the 90 day website was someone forgot to renew the security certificate. Well with ruthless efficiency they have worked out how to stop that happening again with this app. I have seen it somewhere they get the programming for these apps done by State-owned Krung Thai Bank programmers. So if you happen to have any accounts at KT then I hate to think what the security is like.

 

Cheers

[simon43]

Don't tell me that the http request URL uses a GET request, where all the details of the GET parameters are visible in the URL address!

[BusyB]

18 hours ago, JamieM said:

Well if that were the case and it were simply a case of changing a digit at the end of a url, imagine how many people do that everyday by accident while navigating the web? by your way of thinking they would all be hacking and breaking the law and there would be no more space in jails worldwide.

 

Mr Burrow is no fool and is fully aware that they want rid of him, do you really think he would post before checking the legality of the data breach before posting?

 

In my opinion he did the right thing drawing attention to the situation before others posted information for anyone to see.

 

Yes we should be thanking him for his public service at potential risk of expulsion ... I think they tried once before didn't they?

[tgw]

2 hours ago, fdsa said:

 

imagine the URL is

bangkokimmigration.com/?userid=12345

 

is changing the URL parameter "userid" to 12344 is a hack?

bangkokimmigration.com/?userid=12344

 

is changing the URL parameter "userid" to something more complex is a hack?

bangkokimmigration.com/?userid=12344' AND SELECT username,email,password FROM users --

 

technically both examples ARE a hack because even in the first example you've gained the information you was not expected to see - your own user ID is 12345, and you should not see information intended for user 12344.

More tech-savvy guys would argue that the first example is not "real" hacking but a web programmer's idiocity, and I somewhat agree with that. However as government guys are usually not tech-savvy and don't see a difference between above examples I expect Richard Barrow to be punished for hacking.

 

fine distinction, I know, but changing the user ID is not a hack, because user ID is an expected parameter, part of normal user-application interaction. one would expect the application to handle this, as a computer can be used by several persons, cached usernames, passwords, etc. are things that happen naturally.

 

the last line however is borderline, because SQL injection makes the application behave unexpectedly, is not a normal interaction and clearly shows the user trying to gain access in an unauthorized way.

 

 

[outsider]

 

Pictorial representation of where Thailand's online technology/security is currently at. I think Thailand still use 5.25-inch floppy disks. The one in the pic is a more advanced version using 3.5-inch disks.

 

 

[saintbangkok]

Has anyone woken up yet and realised it is not an accident? 

[VBF]

19 hours ago, Phuketshrew said:

I think Mr Barrow is pushing his luck with publicising these data breaches. Gaining unauthorised access to any system and its data is, by definition, HACKING. Whether he used website parameter hacking, CSS, CSRF, or SQL injection is irrelevant. He has gained unauthorised access to the database, retrieved data and published the fact. Had Mr Barrow had legal permission to perform the hack (as an Ethical Hacker) the correct course of action should have been to inform the owner of the website/database of the breach so that they could take immediate remedial action.

All true and i have been involved with some ethical hacking but if all he had to do was change a URL, that could be said to be accidental with the outcome that appeared to be hacking and any one of us could do it without realising.

 

Example, try typing   https://thaivisa.com/  then try https://visathai.com/ which you might do if you were a newbie or tired or not paying attention.  Both of those go to different, unrelated sites but if, perchance one had taken you through a "back door" then would you be hacking, or would it be unfortunate? 

 

Most people wouldn't even know what they were looking at and certainly wouldn't know to whom it should be reported.

 

If I lived in Thailand and had to deal with these fools, I would certainly NOT use my main email address (I have several) however then you need to consider your phone number, house address etc.

[fdsa]

2 hours ago, asiacurious said:

It sounds like he found a book sitting on a bookshelf in a public library and looked at the book.  He saw that the book contained private information that should never have been in a book on bookshelf that anyone could access.

well, quite correct analogy.

 

I've thought of one for our topic: imagine a post office, you got told that your letter is in box number 12345. While taking the letter out of your post box you see that all post boxes have no doors and there is a letter in post box number 12344. You took the letter out and saw the name, address, and phone number of the recipient (but still you've put the letter back so no information was deleted or tampered with)

Is it your fault to obtain someones private information in unauthorized way or post office's fault that boxes have no doors?

 

Edited June 17, 2021 by fdsa

[fdsa]

20 hours ago, Phuketshrew said:

I think Mr Barrow is pushing his luck with publicising these data breaches. Gaining unauthorised access to any system and its data is, by definition, HACKING. Whether he used website parameter hacking, CSS, CSRF, or SQL injection is irrelevant. He has gained unauthorised access to the database, retrieved data and published the fact. Had Mr Barrow had legal permission to perform the hack (as an Ethical Hacker) the correct course of action should have been to inform the owner of the website/database of the breach so that they could take immediate remedial action.

this is correct.

 

In the perfect world both Mr. Barrow and web site programmer would be sued, but in our clown world it's much more likely Mr. Barrow alone.

[asiacurious]

1 hour ago, fdsa said:

well, quite correct analogy.

 

I've thought of one for our topic: imagine a post office, you got told that your letter is in box number 12345. While taking the letter out of your post box you see that all post boxes have no doors and there is a letter in post box number 12344. You took the letter out and saw the name, address, and phone number of the recipient (but still you've put the letter back so no information was deleted or tampered with)

Is it your fault to obtain someones private information in unauthorized way or post office's fault that boxes have no doors?

 

 

In that hypothetical I would say it's the post office's fault for not providing doors on the mailboxes, though I'm not sure the outside of the envelope actually contains any private information .  A person's name on a piece of mail is certainly not private.  Nor is the address (which happens to be the address of the post office, though even if it had their home address, it isn't private).  Even a person's phone number could be considered as not private, as anyone who has ever had a landline can attest to the fact that their name has appeared in public phone directories.

 

However, what is inside the sealed envelope would be private, and that is one important piece of security that the website did not have.  The only way to view whatever was sealed inside would be to break or circumvent (steam?) that seal.  To do so would be illegal.

 

I'd suggest that what happened here is that the post office took whatever private information was given to them and wrote it on a card.  They then placed that card - without sealing it in an envelope - into a post office box with no door that anyone could access at any time.

 

Thanks for the thought provoking example!  I love thinking about these kinds of issues and trying to reason them out.

[asiacurious]

1 hour ago, fdsa said:

this is correct.

 

In the perfect world both Mr. Barrow and web site programmer would be sued, but in our clown world it's much more likely Mr. Barrow alone.

 

To shoot the messenger (or any messenger) is to no longer have messages delivered.

[SantiSuk]

In Thailand,:

 

Your privacy = I don't give a monkey's

[Purdey]

Such a sad situation as Thailand proudly strides toward Thailand 0.4 and seeks to join the ranks of developed nations in the next 150 years. 

Nope, sarcasm just doesn't do it justice.