AWS EC2 Security Vulnerability and Pinterest Hacked
Update 2013-05-12: Pinterest wasn’t really hacked. See follow up to this blog post.
Well, almost hacked. This is rather embarassing (for Pinterest, and maybe AWS?), in that I was able to access what seemed to be their admin page. Furthermore, I discovered through this interface that it seems they do not store passwords encrypted or salted. If I’m not mistaken, I saw usernames, emails, and passwords in plaintext. Let me describe what happened.
I was migrating a Nagios monitoring server, which involved decommissioning the existing EC2 instance and releasing the Elastic IP. Because I didn’t delete my Route 53 DNS entry, and left the Nagios URL open in my browser, I soon noticed that some other content had taken the place in my browser window.
Basically, the apparent Pinterest admin server had requested an Elastic IP from the useast region, and had associated itself to the IP address that I had just released.
A few lessons can be learned from this:
- Pinterest should encrypt and salt their passwords, shame on them for not doing so.
- Pinterest should put their admin server so that it is only accessible from behind a firewall. Ever heard of EC2 security groups? I set up all my servers to expose only certain ports to certain other security groups. Only the external-facing webapp servers have port 80 open to the world.
- Pinterest should put a password on their admin site. Even a shared password internally on the HTTP server is better than having nothing at all.
A good hacking strategy would be to allocate associate disassociate release Elastic IPs, and to squat on/poll that IP address via several common ports. I got lucky and found one immediately through a browser.
Want proof that I actually did this? How about a screenshot:
My friend tells me that I should also mention that I was able to log in with the emails/passwords leaked. I saved around 37 of them, and tested successful logins for 2 of 2 that I tried. For discretionary purposes, those credentials will not be posted here. However, I will say that those accounts I saw in the admin interface seem to be fake hacker accounts, with the emails being mostly from the same domains.
I have contacted Pinterest through whatever means I could find, via a Twitter @Pinterest msg and #pinterest hash tag, and also emailing firstname.lastname@example.org.
Sticky Footer Redux
I call myself a generalist, but feel that I’m more adept at backend development than web frontend, so I’m always amazed by the simplicity and cleverness of really cool HTML/CSS/JS techniques out there.
- Responsive Sticky Footer by Timothy Long [demo] [code]
This was very informative. I have yet to use this solution (maybe when I need a dynamically-sized footer), but it seems to be very promising–not to mention that the solution is very clever.
I’ve been using this exact technique for several (dozens) websites, and it’s a tried-and-true method.
- Another CSS Sticky Footer by Ryan Fait [code]
I haven’t used this one, but it’s neat to see the code in action and how few lines it requires.
On a separate note, I recently started using LESS, a dynamic stylesheet language which allows you to write less CSS by using variables and functions. I can’t emphasize enough that it’s a HUGE timesaver. It’s a must-have for any project.
Domino's ShopRunner Flub
On Sunday, February 3, 2013 (Super Bowl Sunday), Domino’s Pizza disabled ShopRunner free delivery on their site. This screenshot was taken from the Domino’s Order Page on Tuesday, February 5, 2013, when they added it back in.
Coincidence? Sneaky Domino’s. I didn’t think to take a screenshot at the time, though. Too bad!
How to Clone a Car
Today, I was looking up biking directions to my new office. I wanted to take VTA Express from Fremont to Sunnyvale, and then bike the rest of the way.
So, I looked up biking directions on Google Maps, and, to have a better idea of the actual road conditions, looked at street view. That’s when I noticed something interesting–all the cars on the road look the same!
Am I seeing multiples?
The Google Streetview car was slightly ahead and to the right of the car in the picture driving down Java Drive, and therefore, that same car was pictured in every frame of map tiles along that stretch of road.
What appears to be an optical illusion is… an optical illusion created by stitching together several separate frames together.
Dropbox on NTFS Mount in Ubuntu
After I switched to Ubuntu as my primary OS (dual-boot alongside Windows XP), I had a problem syncing some Dropbox files to an NTFS mount.
While some files synced without much trouble, the Dropbox icon would consistently be spinning and several files and folders would not sync.
I got around to searching for the issue today “dropbox ntfs ubuntu” and found this helpful blog post that answered my problems.
tl;dr; – the fix was to simply add
uid=1000 to the
/etc/fstab entry for the NTFS mount, because Dropbox, running as your user, tries to change permissions on the file (owned by root in the absence of the
Don’t have Dropbox yet? Why not use my referral link to sign up to get a free bonus and start off with 2.25GB? Dropbox is one of the best cloud-based file-sync programs for the average user, allowing access from Windows, Linux, Mac OSX, iOS, and Android!