That North Korean Facebook Clone Has Already Been Hacked

Remember yesterday's story about an off-the-shelf Facebook clone in North Korea? Within a few hours that site was hacked by an 18-year-old college student in Scotland. An anonymous reader writes: Using the default credentials, Andrew McKean posted "Uh, I didn't create this site just found the login" in the site's box for Sponsored links. "McKean was able to become an admin for the site just by clicking on the 'Admin' link at the bottom of the site and guessing the username and password," writes Motherboard, which adds that the password was "password". McKean says the breach "was easy enough," and granted him the ability to "delete and suspend users, change the site's name, censor certain words and manage the eventual ads, and see everyone's emails."
The teenager said he had "no plans" for the compromised site -- except possibly redirecting it to an anti-North Korean page.

That's the best you could think of?

[K. S. Kyosuke]

"Uh, I didn't create this site just found the login"

Why not "Kim Jong-Un is a pussy! Sincerely yours, Park Geun-hye" or something more creative like that?

Re:

[Anonymous Coward]

Nah, you should be able to do better than that: Public Announcement: Following up on the policy of acceptable haircuts for students that need to follow the impeccable style of our beloved leader, we've decided to extend the required complance: Please report ot the nearest hospital for cosmetic surgery if your penis measures more than 2 inches to follow our beloved leaders standard.

Re:

[Opportunist]

How uninspired. The true gold would be:

1. Make a few insanely absurd new rules for the North Korean people. This is actually the challenging part for a people that already had mandatory haircuts, I agree.
2. Point a few western news networks at the page.
3. Watch the ensuing hilarity when they start gobbling up your insanity as reality.

Hacked? Really?

[Frosty Piss]

The word "hacked" is overused. Making a fairly easy assumption that the default UID / PID has not been changed by some rube North Koreans who didbn't expect anyone to notice the demo site is hardly a "hack".

On the other hand, I'll bet that the REAL North Korean intel guys gathered a whole lot of data from the honeypot site.

Re:

[thegarbz]

The word "hacked" is overused.

That's only because the bar for people is set too low. Hack means to gain unauthorised access to a system. Whether that was via a SQL injection or because someone gave up the password in a phishing scam, or someone unauthorised simply guessed the password isn't part of the definition.

It was a cheap hack which required no skill what so ever, but a hack none the less.

Re:Hacked? Really?

[turbidostato]

"Hack means to gain unauthorised access to a system."

That's a crack.

A hack is any clever and usually unexpected use of technology to accomplish a task.

Re:

[thegarbz]

That was a crack. Language has moved on and left the old definitions in the past. That's the upside and the downside of English and while you like the distinction if you tell someone you cracked a system they will likely think you're inhaling a new kind of drug.

Re:

[turbidostato]

"That was a crack. Language has moved on and left the old definitions in the past."

Only it has not moved. When a comment in code reads " # dirty hack: I did this because... " nobody thinks the author left a backdoor in the program.

Re:

[thegarbz]

Only it has not moved.

I beg to differ, as do people who read newsspeak, read the internet, consume various forms of popular media, talk at the water cooler, and those who write dictionaries which document the present use of words. Note I said document. The dictionary does not define, it only documents the present popular usage and some nicer dictionaries give you a bit of history of the words too.

To claim the distinction is to not move with the times which while you're right unfortunately makes you an "outcast" to the common usa

Re:

[turbidostato]

I beg to differ, as do people who read newsspeak, read the internet"

It's funny then, that just yesterday, in the most sold newspaper in my country (so, for the masses), the CEO of one of the biggest telcos in the world presented his newly appointed Chief Data Officer as the "most famous hacker in the country". You can bet he was not talking about somebody that illegally breaks into others' systems.

Re:

[mcswell]

Polysemy.

Re:

[AmiMoJo]

Yep. It's either a honeypot trap that this guy just stumbled into, or it's some random student's university project and pretty far from the spectacular "hack" that TFA seems to think it is. How many people are actually using this site and are they posting anything interesting?

Re:

[turbidostato]

"The word "hacked" is overused."

Still, if this was not a North Korean site but, say, a US Gov one, wouldn't this boy be already assaulted by a SWAT team, moved to gitmo and presented as public enemy number one?

Why the double standard?

Re:

[JustAnotherOldGuy]

Agreed...this is not really worthy of the "hacked" label.

To call this "hacking" is akin to microwaving a burrito and calling it "cooking".

Hacked

[Anonymous Coward]

"which adds that the password was "password""

He must have used a sophisticated brute force attack.

Re:

[Frosty Piss]

No one cares about your Scientology obsession, because no one cares about Scientology. If you were stupid enough to get sucked into it in the first place, you're still stupid.

Re:

[Opportunist]

As unpredictable as the average child with a water gun full of ink. Yes, in theory he could ruin your dress, but in the end he's more afraid of the spanking he'd get for it than you are about your suit.

Re:

[Mr D from 63]

I'm not sure I'd put my real name on any sort of embarrassment to the North Koreans. They are rather unpredictable.

I predict North Korea will have at least one less (living) IT staff members.

Next man up

[Anonymous Coward]

The poor shlub who administers that site has probably already been executed.

The new generation

[fred911]

"The teenager said he had "no plans" for the compromised site"

  Ah these young'ins, back in the day it would be goatse.cx 'ed or at the very minimum a penis bird!

  Jeeze what's this world become.

Re:

[Gravis Zero]

"The teenager said he had "no plans" for the compromised site"

[...]

  Jeeze what's this world become.

hopefully, more civilized. previous generations are really trying hard to ruin what's left of the world.

Re:

[thegarbz]

hopefully, more civilized. previous generations are really trying hard to ruin what's left of the world.

Wow, found the captain of the fun police.

Re:

[Some nick or other]

I can think of something more useful. See if the site computer has a modem or phone connection or something, and then bridge over onto the Kwangmyong intranet [wikipedia.org]. Port scan and download everything! ... although at dialup speeds, it would take a while.

Re:The new generation

[techno-vampire]

I think that if I managed to hijack a site in North Korea, I'd simply redirect it to a tourism site in South Korea to let the North Koreans get a look at how the other half lives.

Re:

[Opportunist]

Linking to goatse? Why, it's North Korea, I'm pretty sure the page already showed a huge asshole on the front page.

totally called it

[Gravis Zero]

seriously, this was an easily predicted outcome. [slashdot.org] PHP and security are at odds with each other.

Re:

[Tablizer]

What's the safe language then?

In what language is "password" a secure password?

[raymorris]

He got in because the password was left as "password". In what programming language is "password" a secure password?

Having said that, ten years or fifteen ago PHP had serious security issues, given that it is designed to be used on web, where the application will be attacked daily. It was literally impossible to write a secure program in PHP; literally "hello world" had a security vulnerability. Much has changed. PHP was originally a CMS, written in Perl with a bit of C. It's now an actual programming la

Re:

[raymorris]

>> Ten or fifteen years ago PHP sucked
> I'm maintaining/refactoring a large legacy PHP

I feel your pain. I've done the same with a million-line PHP project called Moodle.

    Since you are refactoring, I hope you study modern PHP and apply it where it makes sense.

Re:

[jordanjay29]

Having used Moodle for a university class, I bow to your unholy patience and fortitude.

An older vesion, I'm guessing

[raymorris]

I'm guessing you used an older version. Moodle too has improved dramatically in the last four years. It has really grown up.

Re:

[hcs_$reboot]

Shouldn't the password have been in Korean?

The guy pumped and untared a tar.gz he found on the Net somewhere in a "docs" folder. Probably from the billions available from the US. That happens all the time in Western countries, but since it's NK, that makes the news.

They were lucky

[ruir]

sarcasm on: He could have changed the password, and then they would not know how to regain it back....

Crime

[Anonymous Coward]

I hope he is prosecuted to the full extent of the law both UK and NK, any propaganda induced biased against NK is not reason enough to commit a crime.

Re:

[Noah Haders]

it's not a crime to hack the DPRK.

Since when?

[burni2]

1.) since when it is not a crime to hack DPRK, just because its the DPRK, I think the UK computer fraud acts are pretty specific.

The big exception is, when you would be part of the military or part of a secret service - then you can commit crimes sometimes even against humanity and go unpunished.

2.) And there might be an exception when the hacking could go unpunished, exactly if it would be used to save lifes, for example or stop attrocities (by changing the execution list for example), or bring evidence fo

Re:

[Noah Haders]

Who from the DPRK is going to press charges? That would make the Dear Leader look like a Deer Breeder. Also, what kind of jury would convict on something like that? Also, I'd like to see the evidence.

Re:

[Joe_Dragon]

and if the DPRK fakes evidence or clams that the hacked killed someone then what?

Re:

[Noah Haders]

A gold medal.

NK U?

[Tablizer]

It was probably a student project, not a gov't sponsored site. I doubt the NK gov't gives a fuck.

Non-story

[Wuhao]

This sounds like a default, or near-default install of a basic web application, made available from a public-facing IP. The only remotely interesting thing here is that the IP is in NK, but the only real story seems to be "someone in North Korea with the ability to allocate a public IP played with dolphinPHP." I mean, it could be an official party directive. Or it could be that some bureaucratic entity in DPRK did what bureaucratic entities love to do: had an idea that went nowhere, which may not have ever

Oh? This is a story now?

[SeaFox]

Kinda amused to see this get put out as a story now. It didn't get much attention when I pointed it out yesterday. [slashdot.org] The little ninja character [imgur.com] was gone pretty fast, though.

I don't get it.

[hey!]

Why is this news? Were people expecting North Korean admins of off-the-shelf websites to somehow be better than ones in the rest of the world?

Deathtoll ?

[Thanatiel]

How many North Corean people will die because of this ?
Or is the crazyness not to that level yet ?