Sunday, 13 January 2008

The rhican rampage

Yeah, that's surely the right word for the recent challenge site pwnzor incidents. Within just a few months, rhican was able to find exploits in almost all big challenge sites, where security had been taken into consideration by the site administrators.

Everything started with the soft-hyphen bug that rhican found on Electrica and HackQuest. Then rhican mysteriously found a way to pwnzor flamecruiser's account at HackQuest. Next he found an XSS bug on rankk. Then again he mysteriously found a way to eavesdrop the conversation between Inferno and alt3rn4tiv3 at TBS. It was kinda cool back then, when things like that were thought to be impossible.

The topic became hot once again in late 2007 when rhican published an SQL injection on Electrica, which put every account in danger of being compromised. Things became chaos when rhican posted whiteboy's challenger password to the public, and even gave noobs free access to all the solutions. That put an end to the site - after a long period when noobs rushed their ways to the top, today the database was inaccessible, not sure if it was taken down for maintenance by Caesum or pwnzored by a noob.

And the rhican pwnage doesn't seem to have come to an end. A few days ago, yet another SQL injection was found and published by rhican. This time the victim was slyfx. Everyone in the challenger world was driven to the same feeling: all challenge sites are insecure, and will be pwned by rhican someday. Now the question is, what will be rhican's next target? I myself would be excited to see he pwning or, the sites with many script kiddies thinking of themselves as 1337-h4x0r5.

Now if you are feeling sorry for those challenge sites and wondering what's the world going to become, I'll let you in for some good news. You know, nothing in life is entirely good nor bad. Thanks to hacking, bugs have been fixed to make life better. A brand new challenge site is being developed by whiteboy and probably will be popular soon. And whiteboy is taking every consideration to make sure it's rhican-proof :) I'll be one of the beta testers, so be sure to tune in on for the next chapter :)

Update: TBS, or rather altn3rn4tiv3, fell victim to rhican again. This time using an old CSRF bug that hasn't been fixed for years, rhican was able to borrow alt3rn4tiv3's hands to wipe away the biggest spam topic on TBS - "Let's count... The number topic" by BaRa. I'd say it's an achievement to get rid of this big waste of time and space :)


Kender said...

So rhican gets credit for making sites more secure?
He has caused a lot of grief for both players and administrators.

For me the real heroes are the people that do not steal passwords or hack sites, but do let admins know when they encounter a security vulnerability.

I have alerted more site-admins to vulnerabilities in their sites than rhican has posted them. And all without ruining anyone's fun.

Kender said...

I'm sorry. I meant to say:
The real heroes are the admins of the challenge sites, who spend their own time and money to provide us with interesting places to have fun and use our brains.

Don't harass them, mess things up for them, or hack their sites!

In stead, help them out and improve our favorite pastime.

Thank you.

Alt3rn4t|v3 said...

Gotta agree with Kender.

Sphinx said...

Nice update, quangntenemy!

I suggest rhican makes a challenge himself :)

And good to know whiteboy's making something - the more, the merrier.

quangntenemy said...

Kender, be realistic. What rhican did was not the best, but at least it alerted the users about the risk they were facing online.

In this world, although there are people like you who report vulnerabilities to admin, there are also people who keep all for themselves. What would happen when a user uses the same password for banking online and other sites, and it got pwned by an evil hacker? Just reporting some bugs you have found will not be enough to stop them.

I myself prefer "harassing" the admins until they fix up their sites :)

Anonymous said...

its kinda lame publishing Passwords publically.
but as Rhican comes into questions, i totally agree with quangntenemy.
by the way as for as i know, he does (and did) inform the site admins about the security issues with a deadline to fix'm up. Now its up to them to fix in-time or face a write-up.

keep the good work up rhican. they want to store our passwords/id's so they should learn how to secure these too. ;)