How much does it cost to break into SmugMug.com?
February 1st, 2008 by Aviram, Filed under: Web, Commentary, Culture
Ophir put together a nice analysis on how much it would cost to break the security system of SmugMug.com.
This, in response to a bounty that is advertised on their web site.
I think he’s being generous. The really bad guys (people who make money from cybercrime) have access to countless of “free” machines; the crackers can easily break into a few boxes to use them for the attack Ophir describes. But mainly he’s being generous because he is giving them free security consulting, which is what they really need. Hey, SmugMug guys: a security contest is not a cheap replacement to an actual security audit (or consulting with an expert) just like bug bounties are not replacements for QA.
And only god knows why in 2007 the notion of my-url-is-so-long-nobody-will-guess-it is still alive. What do they teach in CS anyway?
-
Find security holes before hackers do. Sign up for a Vulnerability Assessment now!
Subscribe
Subscribe
The numbers aren’t that hard to guess - they are apparently related in some way to the “uptime” of the service (not server) and are therefore not sequential.
I can easily find from (Note Ti means Thumbnail - less network load if found):
http://www.smugmug.com/photos/54287630-Ti.jpg
This one:
http://www.smugmug.com/photos/54287636-Ti.jpg
Then if I want I can replace Ti with L, XL or even SuperSizeMe (joking)
woohoo!
woohoo! funfun
if I have a smugmug password protected gallery’s url, can I figure out how to get in?