Tweet
RIAA/MPAA/BayTSP EPIC FAIL
Fucktards.
Our good friends over at TechDirt discovered an interesting anomaly and enormous security hole in BayTSP's website today.
BayTSP, a Los Gatos, CA-based company, is best known for putting the cease-and-desist smackdown on peer-to-peer copyright violators. The site serves infringement information forms to offending parties on behalf of the copyright holders. Think of them as the online debt collectors of the BitTorrent universe, with all the information security risk that implies.
BayTSP's process involved sending suspected copyright violators a URL to a "Web Infringement Response System." These pages were online forms containing fields with infringement notice ID numbers, email addresses, IP addresses, DNS names, and URLs that would identify users by household or even by device.
If the information were secure, this might be fine. However, in some monumental lapse of judgement, the entire site was left open to search spiders and accordingly indexed by Google, allowing anyone with hackerish leanings ample opportunity to create all kinds of mischief.
A Google search for "'infringement information' site:baytsp.com" yields distressing results. Some of the pages have been removed, but you can still have a look at the cached versions:
Whoops!
Not only have the forms been online for Google and the waiting world to view; the forms could also be completed and submitted online by just about anyone.
More technically savvy tricksters could send infringement notices of their own. "And, on top of that," the TechDirt blogger writes, "some have discovered that BayTSP's site has some scripting vulnerabilities such that you could create a fake complaint and get people to, say, download malware or enter credit card data."
Although this recent debacle is simply one more PR disaster for the media industries themselves, my first thoughts were echoed by TechDirt commenter Mechwarrior: "Once this hits 4chan, it's over."
Our good friends over at TechDirt discovered an interesting anomaly and enormous security hole in BayTSP's website today.
BayTSP, a Los Gatos, CA-based company, is best known for putting the cease-and-desist smackdown on peer-to-peer copyright violators. The site serves infringement information forms to offending parties on behalf of the copyright holders. Think of them as the online debt collectors of the BitTorrent universe, with all the information security risk that implies.
BayTSP's process involved sending suspected copyright violators a URL to a "Web Infringement Response System." These pages were online forms containing fields with infringement notice ID numbers, email addresses, IP addresses, DNS names, and URLs that would identify users by household or even by device.
If the information were secure, this might be fine. However, in some monumental lapse of judgement, the entire site was left open to search spiders and accordingly indexed by Google, allowing anyone with hackerish leanings ample opportunity to create all kinds of mischief.
A Google search for "'infringement information' site:baytsp.com" yields distressing results. Some of the pages have been removed, but you can still have a look at the cached versions:
Whoops!
Not only have the forms been online for Google and the waiting world to view; the forms could also be completed and submitted online by just about anyone.
More technically savvy tricksters could send infringement notices of their own. "And, on top of that," the TechDirt blogger writes, "some have discovered that BayTSP's site has some scripting vulnerabilities such that you could create a fake complaint and get people to, say, download malware or enter credit card data."
Although this recent debacle is simply one more PR disaster for the media industries themselves, my first thoughts were echoed by TechDirt commenter Mechwarrior: "Once this hits 4chan, it's over."
Comment