In today’s age of the internet, nothing is truly private on
the internet. Crawlers search the internet and catalog everything. And oh boy
do I mean everything.
Out of curiosity one day, I decided to use google search
engine to amuse myself. My initial though was thinking about bitcoins, as I am
gung-ho for it, and I mine litecoins and dogecoins myself.
Here is my below query:
Wallet filetype:dat site:dropbox.com
Results:
Wow, look at those people who
weren't very bright. So after some magic conversions, I managed to open just
one of those bitcoins wallets and here is what I saw:
Now I am getting excited and
I want to see how far this rabbit hole goes. I starting thinking about what
would be the great place to store my backups and I started thinking ftp servers
would be great.
Googling ftp search engines
lead me to http://filemare.com which
appeared to be a great search engine.
Searching for the same file context as with google I was
able to find a few wallets of various coins, however, this time people had file
permissions set on them of 0600, so nice dice in downloading them. Good on
them.
But where else does this rabbit hole go? I noticed that
there was various other files came up that matched the string of “wallet”. What
did I find? Something called “eWallet” that links to software http://www.iliumsoft.com/ewallet
I found hundreds of these from a good ten to twenty people
who have backed their password storage for websites and credit cards. I
was shocked that people would do this. I downloaded one of these files and
proceeded to open it up with the software. Password encrypted, good on the
company. Resarch into the software reveled that versions older that 7.1 used
MD5 and with a simple hexdump command you can pull out the hash. I attempted to
do it but was unsuccessful, more than likely because I am on my Windows laptop
and my hexdump tool is poor at best. Either that or I just suck. However, I was
able to see catagories inside these dumps, for example:
So where else does this go? Outlook pst files are publicly
available. A quick download and opened with a read-only PST viewer:
Or how about this? A private Keypass key
How about shipping orders for flowers?
Paypal transaction histories?
Are you kidding me???? This guy has his social security
number, address, income and more listed in just one public facing tax document?
T-mobile account, phone number(s) and payment information:
Bank account info:
I even found a website, they backed up their entire sql
database as their website is currently down:
How about an entire phones CWM backup?
This is crazy! I cannot believe what I found. Why would
people allow this type of information to be posted?
The answer: lack of education. Total for the day: 12 people’s lives could
have been ruined by me. I’m not even sure if I should contact these people.
Embarrassment can cause people to lash out. I've blurred the screenshots as best as possible, and all my research files are being deleted. My favorite find today?
ftp://xxxxxx.xxxxx.xxxx/Username/Backup/Dropbox/Private
Damn though people knew about this already. That´s how i copied ThatDarkRPServer.
ReplyDelete