I think it was first half of 2003, when I received my electricity bill from Sydkraft (now E.on). Sydkraft just started to digitalize their invoices, so on the paper invoice, there was a weblink printed where I could access my invoice online. The link was formatted something like this:
http://www.sydkraft/something/something.asp?oid=1900000111&ft=pcl&showdoc
Where the number “1900000111” was my invoice number for that month.
At that time I was a white hat hacker constantly looking for security holes. When I first saw Sydkrafts link I got suspicious, that link was to open and too obvious. So I searched their code to find any security holes, it took me about 10 minutes to find out how they displayed the information from an invoice, it was clearly a suspicious flaw, so I wrote this code on Lasso.
[loop: loopfrom=1900000000, loopto=1900010000, loopincreament=’1′]
[var_set: ’loopvar’=(loopcount)]
[Variable_Set:’urlvar’=(string_concatenate: ’http://IPADRESS/somepage.asp?oid=’,(var:’loopvar’), encodenone),’&ft=pcl&showdoc’]
[var: ’loopvar’]
[include_url: (var: ’urlvar’, encodenone)]
[/loop]
So simple, but so dangerous. That’s why I love coding
This simple code creates a loop for invoice numbers from 1900000000 to 1900010000 and saves the invoice number in a variable. A new variable is created with the whole link. Each unique link created grabbs Sydkrafts invoice page. All wrapped up in a nice 10 000 times loop, that displays all the information on my own webpage and server. After some further tests, I found out that ALL the invoices could be displayed, both new and old ones. Meaning I could access customer information (both individuals and companies) and how much electricity they consumed.
That was when I realised that I had found a big security vulnerability affecting thousands of their customers.
What followed was my usual steps to try to fix the vulnerability. I mailed the managers for the page, the link to my page and explained the vulnerability, attaching my contact information in case they wanted to contact me. It took not even 5 minutes and my phone rang, it was Sydkraft. After they was sure I did not find the security flaw for my own purpose and gaining, they promised to fix it withing 24 hours, I explained how I would have fix it and they thanked me.
The next day I tried to access the information again and it didn’t work, one more company saved by the bell…
Interested in reading one more hacking story? Read when I hacked an Apple webpage.
