Hack Planetromeo Account
He wanted help in disclosing what he believed was a serious security vulnerability and clearly, he was hitting a brick wall. I asked for technical detail so I could validated the authenticity of his claim and the info duly arrived. On a surface of it, things looked bad: complete account takeover with a very trivial attack. But I wanted to verify the attack and do so without violating anyone's privacy so I asked Scott Helme for support:
Hack Planetromeo Account
Scott's dealt with plenty of security issues like this in the past, plus he helped me out with the Nissan Leaf disclosure a few years ago too and was happy to help. All I needed was for Scott to create an account and let me know the email address he used which in this case, was email@example.com.
You'll see both the token and Scott's email address in that URL. It's easy for anyone to establish this pattern by creating their own Grindr account then performing a password reset and looking at the contents of the email they receive. When loading that URL, I was prompted to set a new password and pass the Captcha:
Full account takeover. What that means is access to everything the original Grindr account holder had access to, for example, their profile pic (which I immediately changed to a more appropriate one):
The conversation with Luke went downhill pretty quickly and I can't reproduce it here, but the thought of that dialogue (and if he'd sent them, his pics) being accessed by unknown third parties is extremely concerning. Consider also the extent of personal information Grindr collects and as with Scott's messages, any completed fields here would immediately be on display to anyone who accessed his account simply by knowing his email address:
This is one of the most basic account takeover techniques I've seen. I cannot fathom why the reset token - which should be a secret key - is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously...
Except it wasn't. The person who forwarded this vulnerability also shared their chat history with Grindr support. After some to-and-fro, he provided full details sufficient to easily verify the account takeover approach on September 24. The Grindr support rep stated that he had "escalated it to our developers" and immediately flagged the ticket as "resolved". My contact followed up the next day and asked for a status update and got... crickets. The following day, he attempted to contact the help / support email addresses as well and after 5 days of waiting and not receiving a response, contacted me. He also shared a screenshot of his attempt to reach Grindr via Twitter DM which, like the other attempts to report the vulnerability, fell on deaf ears.
Cain & Abel runs on windows. It is used to recover passwords for user accounts, recovery of Microsoft Access passwords; networking sniffing, etc. Unlike John the Ripper, Cain & Abel uses a graphic user interface. It is very common among newbies and script kiddies because of its simplicity of use. Visit the product website for more information and how to use it.
In this practical scenario, we are going to crack Windows account with a simple password. Windows uses NTLM hashes to encrypt passwords. We will use the NTLM cracker tool in Cain and Abel to do that.
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.
Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.
From firstname.lastname@example.org for $7,000 to account 1GGhHEWfnH2jrCvdmd3Lr7hSedQ7iFMc3i. No one has paid in to that account so far ? Password might be genuine but so old I have no record of ever using it.
When you hear "security breach," what springs to mind? A malevolent hacker sitting in front of screens covered in Matrix-style digital text? Or a basement-dwelling teenager who hasn't seen daylight in three weeks? How about a powerful supercomputer attempting to hack the entire world?
Hacking is all about one thing: your password. If someone can guess your password, they don't need fancy hacking techniques and supercomputers. They'll just log in, acting as you. If your password is short and simple, it's game over.
First up in the common password hacking tactics guide is the dictionary attack. Why is it called a dictionary attack? Because it automatically tries every word in a defined "dictionary" against the password. The dictionary isn't strictly the one you used in school.
This isn't strictly a "hack," but falling prey to a phishing or spear-phishing attempt will usually end badly. General phishing emails are sent by the billions to all manner of internet users around the globe, and it is definitely one of the most popular ways to find out someone's password.
The daily spam volume sent worldwide remains high, accounting for over half of all emails sent globally. Furthermore, the volume of malicious attachments is high, too, with Kaspersky blocking over 148 million malicious attachments in 2021. Furthermore, Kaspersky's Anti-Phishing system blocked an additional 253 million phishing links. Remember, this is just for Kaspersky, so the real number is much higher.
Another sure way to lose your login credentials is to fall foul of malware. Malware is everywhere, with the potential to do massive damage. If the malware variant features a keylogger, you could find all of your accounts compromised.
You might have heard the term "spider" before. These search spiders are extremely similar to those that crawl through the internet, indexing content for search engines. The custom word list is then used against user accounts in the hope of finding a match.
So, how do you stop a hacker from stealing your password? The really short answer is that you cannot truly be 100 percent safe. The tools hackers use to steal your data are changing all the time and there are countless videos and tutorials on guessing passwords or learning how to hack a password, or even just how to figure out someone's password.
You can sign up to PlanetRomeo using two ways; your email address and hour Facebook account. If you choose to sign in to PlanetRomeo using your Facebook account, your registration process becomes easier and quicker.
While setting up your profile, it is advised that you make it as detailed as possible. If your account is detailed, then other members would want to connect more with you. You can include basic information like your age, preferred username, location, and several others. You can upload up to 25 photos on your profile. You can decide to keep someone photos in your private album so you can censor them. Other members would have to request to be able to view these photos.
The duration of your ban on PlanetRomeo depends largely on the severity of your offense. If your offense is a serious one and you are a repeat offender, your account would probably get suspended permanently. However, if your offense is a mild one or a first-time offender, you will probably get banned for a few days.
Conducting post-mortems based on skimpy details is always a fraught exercise -- even more so when the story changes by the day. The early hysterics suggested the possibility of a massive iCloud break-in. But Apple put paid to that scenario Tuesday when it said that the celebrity accounts "were compromised by a very targeted attack on usernames, passwords and security questions" and was unrelated to a breach in any its systems. (Meanwhile, there's also the possibility that these photos have circulated for some time. According to Monday post in Gawker, discussion of the images on the anonymous image-sharing board AnonIB began weeks ago.)
Many celebrities are active on Twitter or Facebook or other social media where they interact with fans and followers and their higher profiles inevitably require them to take extra precautions so their accounts don't get hacked. But people -- celebrities or regular folk -- are creatures of habit and it's unclear how many actually take that extra step. Apple's response to the hack would suggest that more work remains on spreading the message.
Ramzan said both Facebook and Twitter spent a lot of effort specifically providing protection for celebrity accounts, checking for odd patterns activities that might suggest the possibility of a compromise.
"I heard recently that at Twitter, they thought someone might have hacked Justin Bieber's account because all of a sudden there were some weird messages being posted on it," Ramzan said. "It turned out that Bieber was backstage with Ashton Kutcher and handed Ashton his phone and Ashton started to make some posts on behalf of Beiber but they didn't look like they were coming from Bieber."
It was just the latest reminder of a message that still isn't getting through to most people, who just enter their username and a single password -- a process known as single-factor authentication. Check out this CNET FAQ to learn more about two-factor authentication, a process in which someone would only be able to access an account after they supply two of these three types of credentials: