23 OCT 2017

The doggedness of hackers for Rousseau, the platform of the Movimento 5 Stelle

The first week of August was not easy for the “Movimento 5 Stelle” (M5S), an Italian political party, because their “Rousseau” platform suffered two hacker attacks in a few days.

The white hat Evariste Gal0is on Rousseau platform of the M5S

The first attack was perpetrated by Evariste Gal0is, a “white hat”, a good hacker, whose objective was to alert the site’s members that their sensitive information could be at risk due to vulnerabilities in the platform. Evariste Gal0is discovered two vulnerabilities, in fact: a vulnerable variable on SQL injection and a password-related vulnerability.

SQL injection was born in 1998 when Jeff Forristal documented it on the web magazine Phrack. Forristal wrote that this attack consisted in the introduction of unexpected code within an SQL query to make a site runs commands that are normally not executable by an unauthorized user. SQL – acronym of “Structured Query Language” – is a programming language used to administer and execute commands in databases. Simply, SQL works in this way: if the URL of news 1 is “id = 1”, surely news number 2 will have “id = 2”. With an SQL injection attack, the hacker manipulates the URL id with a parameter that forces the server to do something that should not, such as providing sensitive data contained in the database. The attack is repeated several times to collect the largest number of fragments of data from the database and to speed the operation, tools that automate some of these processes are used, such as “Havij” available for Windows with a graphical interface and often used from beginners or “SQLmap”. SQLmap scans websites as the Googlebot does, looking for input forms, once it has found them, it returns them with inputs that could generate a SQL syntax error. SQL injection is among the easiest methods to attack, but because of its simplicity, it is easy to oppose, as we will see in a moment.

Talking again about the attack to the “Movimento 5 Stelle” platform, the hacker entered the system without any permission and was able to view and possibly download a series of information, contained in the database, of the subscribers to the site. This information was users’ sensitive information such as name, surname, e-mail, city of residence, amount paid and method of payment used.

M5S platform attacked via passwords

The second vulnerability concerned password aspect: password could not exceed 8 characters that are exactly those of birth dates in the format day/month/year. Evariste Gal0is wanted to try to find these passwords using a list of numbers from 00000000 to 99999999 and using the free program “John The Ripper”. In 21 hours, on a random sample of 2,517 accounts, he managed to crack 136 passwords, with a positive result of 5.40% and he stated that it is: “A non-derisory percentage that could weigh, for example, in online voting”.

Immediately Evariste Gal0is tried to warn the managers of the site of the Movimento 5 Stelle. From the brief exchange of e-mails he had with the staff, he knew that immediately the staff worked to resolve the vulnerability. Taking advantage of this e-mail exchange, Evariste Gal0is stressed that there were other vulnerabilities on the site. Then he decided to create a site #Hack5Stelle in which he exposed what happened, but he did not communicate the vulnerable variable. The intent of the site was simply to alert “the members of a potential loss of data and confidential information” immediately specifying that it was not “a political attack”. On the site, moreover, Evariste Gal0is suggested to users subscribed to Rousseau platform to change passwords of their website account and that of all accounts in order to avoid the risk of data theft or data profiling, that is to see their own name in a list of the donors of the Movimento 5 Stelle.

After just two days, Rousseau platform suffered another hacker attack, this time with very different and untrustworthy purposes from a “black hat”, a bad hacker, R0gue_0, which once he extrapolated information such as name and surname, social security number, amount of the donation, he published it on Twitter and he added he had thousands of pages stolen from the operating system and that it is “too easy to play with your votes [of the Movimento 5 Stelle]”. Then, in late September, R0gue_0 returned to the attack by writing on his Twitter account: “Be calm, Luigi Di Maio has already won, this is guaranteed by certified dozens of my votes” and posting screenshots of votes in which each time he figured as a different user. Basically, it seems that he voted for some members of the site taking advantage of an additional vulnerability of the platform. Apparently, the Movimento 5 Stelle noticed these attacks, but it claimed to be able to reject them and Beppe Grillo (the father of the political party) on his blog, reassured users: “Following the checks, we can state that the vote was regular and no vote has been tampered with”.

However, these attacks highlight how in terms of IT security Rousseau platform should be reviewed definitely because members’ information does not seem to be really safe, black hat are always lurking to take advantage of vulnerabilities and, besides, contrast a SQL injection attack is easy. For example, you can use “prepared statements” that establish the semantics of a query so that incoming data does not surprise the database and the server or SQL Injection libraries allow you to automatically modify the potentially damaging parts of malicious inputs.

If there are many solutions to prevent these types of attacks, why they are not used or implemented? The answer is simple: often those who work in the field of security, absurdly, do not have much experience in the field and since they must deliver immediately the ordered product, they neglec security aspects. In this case, we hope that those who take care of the safety of Rousseau platform do not underestimate this aspect and perhaps follow the umpteenth suggestion of Evariste Gal0is, that of create a “bug bounty” program that consists of inviting those who notice a vulnerability to report it in return for some reward. In this way the hacker would be rewarded for reporting, the site could become safer immediately and the subscribers to the platform could be more relaxed about the security of their sensitive information.

Elaborated by Lucia D’Adamo, in collaboration with Andrea Petriglia, supervised by Marco Pirrone