A Queensland teenager may face charges after hacking into a United States web hosting provider and causing the company to shut down over the weekend.
(Day #53 image by Tarter Time Photography, CC BY-SA 2.0)
The 16-year-old hacker from Queensland, identified by the company as "Elliot", worked with a partner from New York, known only as "John". Working from separate hemispheres, the two exploited a security loophole in the infrastructure of cloud provider PHP Fog to steal and publish the company's proprietary source code and passwords via Twitter.
Soon after, the Queensland hacker apologised to the company's chief executive officer Lucas Carlson, admitting he should have tipped off the company to the exploit — but this was rejected by Carlson.
"We are talking to our legal counsel and the FBI and may press charges," Carlson wrote on a blog detailing the attack. "This kind of behaviour will not be accepted. Ever. There are proper disclosure protocols for handling this kind of situation and none of them were respected."
PHP Fog provides dedicated servers for each customer application stack, which include cache, load balancing and database layers, but the hackers had compromised the site by breaking into a shared fail-over environment.
Customer applications were deployed simultaneously in a dedicated instance and in a shared hosting environment.
"If your dedicated instance stopped responding for any reason (hardware or network failure) it would automatically redirect requests to the shared hosting environment," Carlson wrote in the blog, adding that the fail-over system was only ever used when it needed to move customers to new hardware.
Elliot's dedicated server crashed and entered fail-over mode. From there he was able to break into PHP Fog's shared hosting environment.
"This fail-over server should have been taken offline a long time ago. It was a relic that I had built as a proof of concept. We were replacing it, but I should have just taken it down until we had the replacement," Carlson said.
The hackers obtained a copy of the website code that was stored on the server, including active system passwords used by PHP Fog, and posted it on Twitter.
Elliot was booted off the company's servers 15 minutes after the attack was noticed, and PHP Fog was shut down. The hacker then used stolen credentials that had been stored on the compromised server to redirect people going to the PHP Fog site to a mock website he had created, "PHPFogsucks", and to brag about the exploits on the company's Twitter and blog accounts.
"This was really naive and irresponsible of me," Carlson said, referring to the fact that he'd left code and passwords stored on the server. "You can be sure every single system password at PHP Fog has been changed and they are not put on servers anymore and I have more than learned my lesson here."
He said there had been an earlier attempt to compromise the company's server by the New York hacker, who had only managed to sign up for free Amazon EC2 instances.
"The way they did this was uploading a program and executing it with our post-deploy hooks. Internally at PHP Fog we were aware of the potential security threat behind post-deploy hooks and were about to disable them indefinitely on Friday, 18 March but our software for deploying the site update malfunctioned and we decided to put it off for the weekend. What unfortunate timing."
PHP published instant messaging correspondence between Elliot and Carlson, of which this is an excerpt:
2:15:12 AM Elliot: Lucas.
2:15:23 AM Elliot Listen, before you begin, I want to apologise.
2:15:35 AM Elliot I do this sort of thing for kicks, but I agree that this went a little too far.
2:15:41 AM Lucas: before you apologise can you at least take down the site explaining the exploit
2:15:51 AM Elliot: Unfortunately, that's out of my control.
2:15:59 AM Elliot: I don't run that domain, however I will talk to the owner tomorrow. He's gone to bed.
2:16:36 AM Elliot: I don't want any hard feelings between us, this originally started as a proof of concept to prove your platform was insecure.
2:16:44 AM Elliot: I guess I did that, but there are better ways I could've gone about it.
2:16:58 AM Elliot: Yes, it was me as root on your servers, and in your twitter, and etc.
2:16:59 AM Lucas: I really wish you had reached out to me before this
2:17:04 AM Elliot: So do I, now.
2:17:12 AM Elliot: You guys are funded and I could've lost you a lot.
2:17:21 AM Lucas: a whole lot
2:17:28 AM Lucas: a lot of people's lives depend on this
2:17:37 AM Elliot: I didn't touch anybody's files.
2:17:39 AM Elliot: Only phpfog's.
2:17:49 AM Elliot: Didn't even look through them.
Carlson said a forensic review determined the hack as being vandalism, and did not compromise customer details.
He listed a string of changes to the site's security arrangements following the attack, including the elimination of post-deploy hooks, shared passwords and upgrades to Secure Shell (SSH) keys, and thanked the company's beta testers.
"Our beta testers have encouraged us to bounce back while denouncing the childish and criminal acts against us. We thank you all so much and will not let you down again," he said.