How journalism should not be done

I am subscribed to the german “Linux Magazin” (it’s articles are translated and published to the english “Linux Magazine”) and today I received their anniversary edition (10 years Linux Magazin).

With great interest, I read the article “Insel Hüpfer” on page 56 and later. It’s about the author telling his story of finding security holes in the setup of a big german hosting provider

The author goes into great details when describing what he did and full of pride he actually tells the reader the MySQL-Root password of one of the compromised servers:

Und dann entdeckte ich erstmals etwas Erfreuliches: Das Passwort für MySQL-Root lautet: xxxxxx. So sollte ein sicheres Passwort aussehen.

Which means in english: Finally, I discovered something good: The mysql root password is: xxxx. This is what a secure password should look like. In contrast to the article in the Linux Magazin, I am definitiely not naming the password here!

All this would not be worse enough for me to blog about here if only they would not have been so stupid to actually show the user the name of the provider!

While all URLs are left out and the article does not name the provider, they made two bad mistakes:

  1. On page 63, there is a screenshot of a compromised FAQ page. While they cleared out Mozillas the URL-field, they did not do that with the big visible title of the page containing the domain name in the top left corner. Additionally if they had grayed out the text, googling with the contents of the rest of the page would too have led me to the providers address
  2. On page 64, they have a screenshot displaying the URL of the compromised phpMyAdmin, graying out the domainname, but leaving the URL intact otherwise. Too bad that the name of the provider is no secret anymore (see above).

All this would not be so bad (it certainly is bad for the publisher of Linux Magazin as this will get them in trouble with the provider), it really is catastrophical that the provider has not changed the password printed in the article!

This means that any reader of the Linux Magazin (currently only subscribers – I really hope they stop further delivery of this issue) can access the MySQL-Databases of many customers of said provider!

Posting stories like this is really nice and is what gets you the readers actually, but if you do this, please take care not to publicly post compromised passwords that continue to be working when your edition goes to press. And don’t leave clues like URLs and other stuff that points to the victim in question! Please!