dark clouds

dark clouds

Wooyun is a security problem feedback platform between manufacturers and security researchers, which provides a public welfare, learning, communication and research platform for Internet security researchers while following up on security problems. Its name comes from the current "cloud" on the Internet. In this era of not being a "cloud" and being embarrassed to say hello to others, network security related technologies and ideas will feel a little black, so dark clouds naturally appear.

Website statement

We do strict verification for registered users. All security information will not be disclosed to the public until it is processed in accordance with the process. Manufacturers must obtain sufficient identification to obtain relevant security information, including but not limited to online certification, background audit and offline communication. White hat registration must be verified by email to ensure the safety of information High reliability and value. For users who submit false vulnerability information, after confirmation, we will deduct the rank of users according to the situation, or even delete users directly.

For the vulnerability released on the black cloud platform, the ownership belongs to the submitting party. White hat needs to ensure the legality of the methods, methods, tools and means of vulnerability research, and black cloud does not bear any legal responsibility for it. Dark cloud and the team try to ensure the reliability of information, but not absolutely guarantee the credibility of all information sources. The vulnerability proof method may be offensive, but everything exists to illustrate the problem. Dark cloud does not bear any responsibility for it.

Users must abide by the relevant laws and regulations of the people's Republic of China when using the related services of dark cloud. Users shall agree that they will not use this platform to carry out any illegal or improper activities, including but not limited to the following behaviors:

1. Upload, display, post, disseminate or otherwise transmit information containing one of the following contents:

1) Opposing the basic principles established by the constitution;

2) Endangering national security, divulging state secrets, subverting state power and undermining national unity;

3) Damaging the honor and interests of the state;

4) Inciting ethnic hatred, ethnic discrimination or undermining ethnic unity;

5) Sabotaging the state's religious policies and propagating heresy and feudal superstition;

6) Spreading rumors, disrupting social order or undermining social stability;

7) Spreading obscenity, pornography, gambling, violence, murder, terror or abetting a crime;

8) Insulting or slandering others and infringing upon their legitimate rights;

9) It contains false, harmful, threatening, infringing others' privacy, harassing, infringing, slandering, vulgar, obscene, or other morally offensive contents;

10) Containing other contents restricted or prohibited by Chinese laws, regulations, rules, regulations and any norms with legal effect;

2. It is forbidden to use black cloud and the relevant information provided by black cloud for any illegal purpose

1) It is not allowed to use the dark cloud website for any action that may adversely affect the normal operation of the Internet or mobile network;

2) It is not allowed to upload, display or disseminate any false, harassing, slandering, abusive, intimidating, vulgar, obscene or any other illegal information by using the network service provided by dark cloud;

3) It shall not infringe the patent right, copyright, trademark right, reputation right or any other legitimate rights and interests of any other third party;

4) It is not allowed to use the dark cloud network service system to do anything against the dark cloud;

3. Do not engage in the following activities by using dark cloud services and website related information:

1) Entering a computer information network or using computer information network resources without permission;

2) Deleting, modifying or adding computer information network functions without permission;

3) Deleting, modifying or adding the data and application programs stored, processed or transmitted in the computer information network without permission;

4) Deliberately making or spreading destructive programs such as computer viruses;

5) Other behaviors endangering the security of computer information network.

Mission and soul

respect

As an Internet vulnerability reporting platform, the most important mission of dark cloud is to respect. We observed that there is inherent inequality and disrespect between security researchers and manufacturers. For vulnerability discoverers, due to the lack of manufacturer's contact information, it is difficult to pass the information to the manufacturer even if the vulnerability is found, and the manufacturer simply can't take into account the vulnerability information scattered all over the Internet, which eventually leads to some vulnerabilities being forgotten and not repaired, resulting in losses. On the other hand, some manufacturers do not respect or even despise the reports of vulnerability researchers. After problems occur, they do not quickly repair the problems to ensure the safety of Internet users, but try to cover up the vulnerabilities or even deny the existence of the vulnerabilities by other means. On the premise of such disrespect, vulnerability researchers may directly disclose the vulnerabilities to the public Then it damages the interests of manufacturers. Destruction and construction are the same as the existence of a technology. We try to call back everyone's respect for technology. Black cloud will track the vulnerability report, and all details related to technology will be made public. In this platform, vulnerability researchers and manufacturers are equal, and black cloud works for equality.

progress

We pay attention to the technology itself and believe that only when we know the principle well, can we achieve real freedom. Only when we break through more restrictions, can we achieve real technological progress. We try to work with the manufacturers and researchers who join wooyun to study the ultimate root of the problem, make correct evaluation and give repair measures, and finally make progress together.

significance

We firmly believe that all existing things are meaningful, and we also believe that dark cloud can bring value to researchers and manufacturers. This value will be the significance of dark cloud. Researchers can release their own technical achievements and show their strength through dark cloud, and manufacturers can find their own existing and possible problems through dark cloud. We even encourage manufacturers to pay attention to them Loophole researchers encourage or recruit talents directly.

Security team

There are many security teams in the dark cloud publishing information on it. (updated on June 24, 2014)

Legal adviser

Zhao occupation

Areas of concern

We are concerned about those vulnerabilities that may have a greater impact on the Internet, so we welcome Internet companies with greater influence to register. We will also be more strict in the selection of vulnerabilities. Generally, for vulnerabilities with lower vulnerability level and little impact, we may seek the opinions of manufacturers to choose whether to accept access to the wooyun database, which can ensure the quality of wooyun And credibility.

In addition, some useful information for manufacturers can be submitted to the platform as vulnerabilities, such as some proven intrusion events and phishing fraud that have an impact on the business, which can help enterprises quickly solve related problems.

We believe that the best way to prove the vulnerability is to make full use of it. We encourage the use of screenshots or videos to prove the vulnerability. This is also an improvement of technology.

Exposure events

Dark cloud exposure Ctrip incident broke out on March 22, the famous website vulnerability exposure platform "dark cloud network", the network name "pig man" logged out "Ctrip a sub station source code package can be downloaded directly (involving database configuration and payment interface information)" and "Ctrip security payment log can be downloaded, resulting in a large number of users' bank card information leakage (including cardholder's name, ID card and bank card) Card number, card CVV code and 6-bit card bin.

In particular, the latter type of vulnerability belongs to "sensitive information leakage", and the harm level is "high vulnerability". And "the manufacturer has confirmed".

The process of the matter is that because of the debugging function of the secure payment server interface used by Ctrip to handle user payment, the user payment records are saved in text. At the same time, because the server that keeps the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, resulting in all the debugging information in the payment process can be read by arbitrary hackers.

The so-called traversal usually refers to that each node in the tree is visited once and only once along a certain search route. This vulnerability, which is classified as "sensitive information leakage", is alleged to have caused a large number of Ctrip users to leak information such as cardholder's name, ID card, bank card number, card CVV code and 6-digit card bin.

The solution is as described at the beginning of this article. That night, Ctrip quickly responded on its official microblog that relevant departments of the company had carried out technical investigation at the first time and made up for the loopholes within two hours after the news was released.

However, people are concerned that according to Article 28 of the measures for the administration of bank card acquiring business issued by the people's Bank of China, the acquiring institution shall not store sensitive information such as magnetic track information or chip information of bank card, card verification code, card validity period, personal identification code, etc. in any way. Effective measures should be taken to prevent special merchants and outsourcing service institutions from storing sensitive information of bank cards.

It is also stated in the "UnionPay card acquiring institution account information security management standard" issued by UnionPay in 2008 that the bank card acceptance terminal is only limited to save the basic information elements necessary for transaction clearing in the current transaction batch, and clear them in time after the end of the batch; all kinds of acceptance terminals are not allowed to store bank card track information, card verification code, personal identification code and card Valid period and other sensitive account information.

"From the current disclosure, there may be some flaws in Ctrip," said UnionPay risk management specialist

Chinese PinYin : Wu Yun