» How I broke the commercial part of FRHACK
Brainst0rm |
About Me
How I broke the commercial part of FRHACK
It has been some months now but I never really disclosed what I did to get a free streaming account at mediatux in order to watch some of FRHACK01 via their streaming service provided by mediatux. At the time they announced that One could stream the conference for an exaggerated amount of money, I thought that I would give it a try with some very basic hacking skills.
A few days later the conference started and my login worked, I was truly astonished.
The only problem was that I had to work during the hours the conference was held,
so it actually ended with that I only got to watch most of Richard Stallman's talk.
After a lot of waiting, all of the DVD ISO's
finally came online but also they were commercial!
What an outrage.. Information is and should always be free.
For 50€ or 71$ one can buy all of the DVD's.
I decided to buy them, for 1€.
Purchase Link:
http://mediatux.com/purchasefrhack.php
Look at the screenshots below for proof. (private details has been edited out).
Ressources Used:
- FireFox with the Tamper Data addon.
- PayPal account with a credit card. (1€ used).
Alternatively
- Any browser with a proxy like Paros Proxy, Burp Suite or WebScarab.
- PayPal account with a credit card attached or a few dollars. (or prepaid card).
What does One need to do?
- Go f.ex. here: http://mediatux.com/buydvdfrhack.php?dvd=alldvd
- Start your Intercepting Proxy.
(this intercept all get and post requests).
- Click "Buy Now" on the page.
- Edit the POST-request field that says 50, to something else. (not 0)
- Send the POST-request and wait until you're at PayPal.
- Check that the amount of money is not 50€ but the value you changed it to.
- Pay the amount you chose.
Reference thread:
http://forum.intern0t.net/offensive-...-free-way.html
A few days later the conference started and my login worked, I was truly astonished.
The only problem was that I had to work during the hours the conference was held,
so it actually ended with that I only got to watch most of Richard Stallman's talk.
After a lot of waiting, all of the DVD ISO's
finally came online but also they were commercial!
What an outrage.. Information is and should always be free.
For 50€ or 71$ one can buy all of the DVD's.
I decided to buy them, for 1€.
Purchase Link:
http://mediatux.com/purchasefrhack.php
Look at the screenshots below for proof. (private details has been edited out).
Ressources Used:
- FireFox with the Tamper Data addon.
- PayPal account with a credit card. (1€ used).
Alternatively
- Any browser with a proxy like Paros Proxy, Burp Suite or WebScarab.
- PayPal account with a credit card attached or a few dollars. (or prepaid card).
What does One need to do?
- Go f.ex. here: http://mediatux.com/buydvdfrhack.php?dvd=alldvd
- Start your Intercepting Proxy.
(this intercept all get and post requests).
- Click "Buy Now" on the page.
- Edit the POST-request field that says 50, to something else. (not 0)
- Send the POST-request and wait until you're at PayPal.
- Check that the amount of money is not 50€ but the value you changed it to.
- Pay the amount you chose.
Reference thread:
http://forum.intern0t.net/offensive-...-free-way.html
Total Comments 5
Comments
-
I think it is worth noting that you are admiting something tantamount to hacking for monetary gain.
I also think it is worth noting that this is a known weakness and has absolutly nothing to do with PayPal, but rather the client's insecure method of handling information. This also works with GooglePay and any other payment method if the price is delivered by a POST or POST-GET. or even a GET with a manipulatable variable, f.ex I recently saw a a website that used the format...
website.com/shop.php?action=buy&itemid=31337&price=1000
Where action was buy, return, or donate.
Item id was an incremental number (ovbviouisly)
and price was in cents
hehehePosted 10th January 2010 at 03:09 by HitThemLow 
-
Good job MaXe I proly wont do this but im glad to see someone else has my viewpoint on knowledge xD
I mean seriously 71$ for a vid is rediculous xDPosted 10th January 2010 at 22:36 by CyberDevin -
Dear HitThemLow,
First I have to say, that I never intended to sell the information gained to any third parties nor did I have any monetary purpose in getting the information provided at FRHACK.
Many other conferences, including DEFCON uploads the speeches / talks / etc. to their website so anyone that couldn't participate or did participate, is able to watch the interesting information that was shared on the conference.
I believe that this is very important for not just DEFCON but for any conference including FRHACK which is unfortunately the only or almost the only conference where it costs an outrageous amount of money.
If the amount of money charged for the DVD's had been less so anyone including myself would be able to afford it, then there would've been no point in getting it for free.
I didn't state that it was an error in PayPal's service nor did I claim otherwise.
This weakness aka vulnerability is however, not affected by the amount of money a person wants to pay which can be changed in many cases with an Intercepting Proxy when the GET or POST request is made to send the customer over to the payment processing system.
The error in this case is that the payment handling system, should check the amount of money received though it does not!
If you don't believe in what I say, change the amount of money you need to donate to InterN0T to 0.01$ and see if you get the donator status, cause you wont since the payment handling system we use here, is protected against such and so is many other systems on the Internet, but not all of them unfortunately.
Thanks for the kind comment CyberDevin.
Best regards,
MaXePosted 11th January 2010 at 15:20 by MaXe
Updated 11th January 2010 at 15:53 by MaXe - You are still doing it for monetary gain since you voided the Cost of the Information.
Then you are trying to justify it by “it costs to much”. While I agree that information should be free, I don’t believe you should go make a blog post of how you stole it.
This is generally a bad idea, as anyone could [.......] you, and yes, it is a criminal offense :\
I know how it works, I know you know, I was pointing it out for others who may not.Posted 11th January 2010 at 18:24 by HitThemLow
Updated 12th January 2010 at 08:25 by MaXe - Well, I partially agree with you but in my opinion it was for never for any personal gain.
The reason why is simple. I didn't download the discs though i did pay them 1€ and told
others, how to get the information shared at FRHACK but I never downloaded anything
from that FTP server :-)
To conclude it all, I paid them 1€ and received an account which I only used for a screen-
shot but nothing more. I received information to share but no dvd iso's from FRHACK
Posted 12th January 2010 at 08:38 by MaXe
