sysmonk blog

After the Russians attacked Lithuanian governmental institution websites, pigu.lt, a Lithuanian e-shop (something like amazon.com), announced a security contest.

In time period of one week ( since July 9th till July 15th ) anyone could try and hack pigu.lt, and wouldn’t be sued for that (if he won’t make any real damage).

For anyone who could successfully exploit their website, pigu.lt team would give you 1024 piguLitas ( about 500$ ) discount in their e-shop.

Sadly enough, i only got to know about this on July 15th night ;(

Because the time period was over already, i only tried to look at their web page ‘softly’. After a hour or so of browsing i’ve found a few non-critical bugs. When i contacted their team in the morning, the bugs were already fixed! They checked the logs and saw my actions and fixed them, great job guys!

Anyway, the biggest hole which was found was a 3rd party support app. Staff has left the installation files in the default place, and the attacker used them to re-install the app again (but used his own database). That way, their support page was compromised, but clients information wasn’t leaked.

The winner of the contest was DI security, some local lithuanian team (never heard of them). You can read about the contest results more here (lt).

Oh, and by the way, pigu.lt team gave me a 100 piguLitas discount for the non-critical bugs i found, thanks guys!

This entry was posted on Friday, July 18th, 2008 at 11:18 am and is filed under IT. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.