WEBVTT

00:00:00.000 --> 00:00:04.080
JACK: There’s a TV show called Mr. Robot. Elliot Alderson, he’s the main character.

00:00:04.080 --> 00:00:08.640
He’s a hacker. He says stuff that always gets me thinking about life, like this,

00:00:08.640 --> 00:00:14.400
“Every day we change the world but to change the world in a way that means anything, it takes more

00:00:14.400 --> 00:00:20.580
time than most people have.” JACK (INTRO): [INTRO MUSIC]

00:00:20.580 --> 00:00:27.000
These are true stories from the dark side of the internet.

00:00:27.000 --> 00:00:37.860
I’m Jack Rhysider. This is Darknet Diaries.

00:00:37.860 --> 00:00:47.760
[INTRO MUSIC ENDS] JACK: Okay, so I like hanging

00:00:47.760 --> 00:00:52.500
out on Twitter. It seems to be the hot spot for all the people in security. One guy keeps coming

00:00:52.500 --> 00:00:58.560
across on my Twitter feed; his name is Elliot Alderson. Hm, that’s the same name as the main

00:00:58.560 --> 00:01:04.440
hacker guy on the TV show Mr. Robot, a fictional character. He has the same Mr. Robot image in

00:01:04.440 --> 00:01:11.700
his avatar, too. His username is @fs0c131y. Is this some sort of gimmick account? No;

00:01:11.700 --> 00:01:19.440
he’s posting real and useful information about reverse-engineering. Whoa, Elliot Alderson on

00:01:19.440 --> 00:01:27.162
Twitter has 120,000 followers? Jeez, who is this guy? I had to find out so I called him up.

00:01:27.162 --> 00:01:34.440
ELLIOT: [SPEAKING FRENCH] JACK: Well, he’s French and he said his

00:01:34.440 --> 00:01:36.900
name is Robert Baptiste. ELLIOT: You can call me

00:01:36.900 --> 00:01:40.020
Baptiste, Robert, Elliot. JACK: Or we can call him Elliot.

00:01:40.020 --> 00:01:46.260
He’s got a double identity and this double identity is really fascinating so I think

00:01:46.260 --> 00:01:50.520
it’s time we get to know Robert Baptiste, or Elliot Alderson on Twitter.

00:01:50.520 --> 00:02:01.500
ELLIOT: [MUSIC] I tried to be good at Android and especially reverse web application and finding

00:02:01.500 --> 00:02:06.180
vulnerabilities on web application. JACK: Hm. Robert is from Paris and sometimes

00:02:06.180 --> 00:02:10.920
a little hard to understand so I might have to step in and sort of translate for him. Basically,

00:02:10.920 --> 00:02:15.600
Robert’s expertise is in Android applications and he loves reverse-engineering them.

00:02:15.600 --> 00:02:20.220
ELLIOT: When I see something cool, a new application, I’m trying to find some

00:02:20.220 --> 00:02:26.700
vulnerability or some issue with the app. JACK: Robert likes to pick on Androids since

00:02:26.700 --> 00:02:30.630
that’s what he’s most familiar with. ELLIOT: I started my career as a…

00:02:30.630 --> 00:02:34.140
JACK: He started his career as an Android developer and spent years creating Android

00:02:34.140 --> 00:02:38.700
applications. Then he dug deeper and started working on the Android open-source project.

00:02:38.700 --> 00:02:41.820
ELLIOT: OSPs. JACK: This allowed him to create custom variance

00:02:41.820 --> 00:02:47.220
of Android itself. But as his career went on, he eventually switched to security, specifically

00:02:47.220 --> 00:02:51.540
looking for vulnerabilities in apps. ELLIOT: In order to find vulnerabilities

00:02:51.540 --> 00:02:54.300
everywhere. JACK: Then he actually

00:02:54.300 --> 00:02:58.920
started his own company and he has clients who make apps and then he tries to reverse-engineer

00:02:58.920 --> 00:03:03.420
them to make them do things that they shouldn’t be doing. All this is fine and good for Robert;

00:03:03.420 --> 00:03:09.420
not a big deal at all. But sometimes he gets bored and becomes Elliot Alderson

00:03:09.420 --> 00:03:14.520
and decides he wants to hack into something. He starts grabbing anything that looks

00:03:14.520 --> 00:03:21.480
interesting from the Google Play Store and just starts testing the apps himself.

00:03:21.480 --> 00:03:25.080
Now, one of the Twitter accounts that Robert likes to follow is the Fox News

00:03:25.080 --> 00:03:29.580
account. Don’t ask me why. One day they tweeted something that caught his attention.

00:03:29.580 --> 00:03:36.030
ELLIOT: I saw a tweet from Fox. It was right after the release of Donald Daters.

00:03:36.030 --> 00:03:41.880
JACK: The tweet was talking about a new Android application called Donald Daters. Basically,

00:03:41.880 --> 00:03:47.760
it’s a dating app specifically for people who like Donald Trump. [MUSIC] So,

00:03:47.760 --> 00:03:52.380
Robert turned into Elliot and downloaded this app to see if he could have some fun with it.

00:03:52.380 --> 00:03:57.960
Android apps are bundled in what’s called an APK file. It’s sort of like a ZIP file. In this,

00:03:57.960 --> 00:04:02.460
it contains the executables, the graphics, the sound, the whole app. It’s all packaged in this

00:04:02.460 --> 00:04:07.860
file. Elliot moved the APK from his phone to the computer, then he extracted the files from the

00:04:07.860 --> 00:04:14.820
APK and decompiled the app. This showed him a file called [00:05:00] AndroidManifest.xml. In there he

00:04:14.820 --> 00:04:19.140
saw what database they were using. ELLIOT: Yeah, I just looked at Android

00:04:19.140 --> 00:04:27.540
app on the – in order to create a database, they used Firebase database,

00:04:27.540 --> 00:04:34.020
which is a service offered by Google. JACK: Firebase is an online database. For

00:04:34.020 --> 00:04:38.820
this app, all user data was stored in this online database. Okay; good to know. Next,

00:04:38.820 --> 00:04:45.360
Elliot looks at values/strings.xml. This file might contain some extra information about

00:04:45.360 --> 00:04:52.140
this app. Sure enough, it contained both the Firebase URL and the keys used to access it.

00:04:52.140 --> 00:04:57.300
Now, Elliot knows Firebase really well. He’s created a few apps using this and is familiar

00:04:57.300 --> 00:05:01.620
with it. He knows that Firebase doesn’t really require a key or a password to read

00:05:01.620 --> 00:05:06.420
or write to the database. Instead, Firebase is configured with a set of permit-and-allow rules

00:05:06.420 --> 00:05:12.540
on the Google side. Only people matching these conditions can read or write into the database.

00:05:12.540 --> 00:05:17.880
Right away, Elliot took this Firebase URL that he found in the app and tried to see if he could see

00:05:17.880 --> 00:05:22.860
what’s in the Donald Dater’s database. ELLIOT: It took me like, five minutes to get

00:05:22.860 --> 00:05:30.660
the old database because they keep the debug settings. They kept the debug settings on so

00:05:30.660 --> 00:05:36.060
it was pretty easy to get everything. JACK: Whoa, what? Within five minutes,

00:05:36.060 --> 00:05:39.480
Elliot has gained access to the entire Donald Daters database.

00:05:39.480 --> 00:05:44.880
ELLIOT: I had access to everything; all the messages, all the people’s details.

00:05:44.880 --> 00:05:49.080
JACK: All usernames, all private messages between people, and all the user details.

00:05:49.080 --> 00:05:54.780
This is crazy. The database had no security on it at all to keep anyone from just reading

00:05:54.780 --> 00:06:00.060
through the entire database. Elliot was seeing everything. Now, to you and I,

00:06:00.060 --> 00:06:04.980
this might have been a big moment for us; we got in, whoa! This was a rush. But for Elliot…

00:06:04.980 --> 00:06:15.240
ELLIOT: This one, it’s fine. I mean, I have better moments than this one.

00:06:15.240 --> 00:06:20.340
JACK: I think that might be because this app was so new. It was only one day old at the time when

00:06:20.340 --> 00:06:24.600
he broke into it so it didn’t really have that many users yet. It just wasn’t that big of a deal,

00:06:24.600 --> 00:06:30.540
you know? Maybe this is typical because he’s seen a lot, too. Since it wasn’t that hard,

00:06:30.540 --> 00:06:35.460
the feeling wasn’t that great but Elliot was curious anyway and looked through the

00:06:35.460 --> 00:06:45.120
database to see what’s in there. [MUSIC] There were 1,607 users at the time and out of them,

00:06:45.120 --> 00:06:50.880
there were only 128 matches that had taken place so far. Okay. He looked at the messages

00:06:50.880 --> 00:06:55.560
between the matches that were sent between each other. The longest message exchanged he

00:06:55.560 --> 00:07:02.280
found was sixty-two messages sent back and forth between two people within the Donald Daters app.

00:07:02.280 --> 00:07:08.280
But as he looked closer, he learned it was a conversation between two developers of the app.

00:07:08.280 --> 00:07:11.040
Elliot started downloading some of the content from this database.

00:07:11.040 --> 00:07:16.020
He grabbed all of the profile pictures that users had for their dating accounts and started posting

00:07:16.020 --> 00:07:24.300
them to Twitter. His tweet said, “Hi Fox News and Donald Trump supporters. You should not use this

00:07:24.300 --> 00:07:29.760
app. Within five minutes I managed to get a list of all the people registered, all their names,

00:07:29.760 --> 00:07:36.600
all their photos, personal messages, and a token to steal their sessions.” He then went on to

00:07:36.600 --> 00:07:43.980
post a bunch of slightly blurred photos of the users of the site, proving he had access to it.

00:07:43.980 --> 00:07:49.500
Now, Elliot is known for stuff like this. This is why he has such a huge Twitter following

00:07:49.500 --> 00:07:54.420
and of course, tech journalists watch what he’s tweeting too, and they saw this. [MUSIC] Within

00:07:54.420 --> 00:08:00.180
two hours of his tweet, VICE’s Motherboard wrote a story about this and how the Donald Daters app

00:08:00.180 --> 00:08:05.820
is exposing its user’s data. Shortly after that, TechCrunch wrote an article saying the database

00:08:05.820 --> 00:08:10.560
has been leaked. For any respectable company, this would have been a huge problem.

00:08:10.560 --> 00:08:17.580
This is what we call the ‘b’ word, a breach. A hacker broke in and took the database but

00:08:17.580 --> 00:08:23.340
what’s more is that anyone can get in and see the database with just a single URL. Seriously,

00:08:23.340 --> 00:08:28.080
this entire hack is just visiting a single URL. Here’s the actual URL:

00:08:28.080 --> 00:08:39.060
donalddaters2018.firebaseio.com/.json. If you went to that URL you would see the entire database.

00:08:39.060 --> 00:08:44.520
There was zip for permission and security there. No key was needed, you didn’t have

00:08:44.520 --> 00:08:50.520
to bypass anything, there was no authentication that was defeated; just the URL extracted from the

00:08:50.520 --> 00:08:58.200
strings file in the APK. You know, the developer didn’t ask you to find vulnerabilities in this

00:08:58.200 --> 00:09:02.820
but you went and you found a vulnerability. Did you feel like that was crossing a line?

00:09:02.820 --> 00:09:11.700
ELLIOT: No. In my opinion, no because I’m not looking for this vulnerability with malicious

00:09:11.700 --> 00:09:20.940
intent. [00:10:00] My goal is never to use these kind of vulnerabilities as a malicious actor.

00:09:20.940 --> 00:09:29.700
What I’m doing, I’m trying to help them and I’m trying to help their users. Engineer,

00:09:29.700 --> 00:09:36.360
the contact, he’s quite good with the companies and because they understand

00:09:36.360 --> 00:09:44.160
they have an issue and they want to fix this issue, so everybody’s happy to discuss and it’s

00:09:44.160 --> 00:09:53.220
fine. You don’t cross a line when you find a vulnerability like this because you try

00:09:53.220 --> 00:09:58.920
to help the company but if you use this vulnerability to earn money,

00:09:58.920 --> 00:10:08.280
if you use this vulnerability to, I don’t know, because you want fame or something like this,

00:10:08.280 --> 00:10:15.480
this is bad and you are crossing the line. JACK: Now, I’m confused because you – when I saw

00:10:15.480 --> 00:10:22.620
this news it looked to me like you were trying to make fun – trying to

00:10:22.620 --> 00:10:28.560
embarrass this company, right? Now you just told me that you’re here to help this company and to

00:10:28.560 --> 00:10:35.580
help these users. Did you like this company or did you not like this company?

00:10:35.580 --> 00:10:44.340
ELLIOT: I don’t have an opinion on the company’s – on where I’m looking for vulnerabilities. I

00:10:44.340 --> 00:10:53.880
don’t like Donald Daters but I’m not… JACK: You see what I mean, right? You’re not

00:10:53.880 --> 00:11:00.660
quite helping the users. You’re really making fun of them.

00:11:00.660 --> 00:11:09.300
ELLIOT: Well, you can do both. People need to understand that you can help a company,

00:11:09.300 --> 00:11:16.800
you can protect the user’s data but at the same time, you can sort of – public shaming

00:11:16.800 --> 00:11:25.200
the company. You can do both. For me, it’s not a problem. You can publically say okay,

00:11:25.200 --> 00:11:34.200
this company has a big issue. This is a scandal because they kept the debug sitting on Firebase.

00:11:34.200 --> 00:11:40.260
This is stupid. But at the same time, you did your job; you protected the data

00:11:40.260 --> 00:11:45.120
of the user. Yeah, that’s fine. JACK: This is quite fascinating to me.

00:11:45.120 --> 00:11:49.980
Let me pose some rhetorical questions for you, the listener. He claims that it’s okay for him

00:11:49.980 --> 00:11:55.560
to do this because he doesn’t have malicious intent. Is the intention enough to consider

00:11:55.560 --> 00:12:02.100
this to be okay? Do you think he’s embarrassing them or helping them? Maybe a little bit of both?

00:12:02.100 --> 00:12:06.420
After all this exploded in the media, the owner of the application decided

00:12:06.420 --> 00:12:10.320
to have a chat with Elliot. ELLIOT: I discussed with some members of

00:12:10.320 --> 00:12:18.300
the company and they thanked me in private. They thanked me in public with an official handle on

00:12:18.300 --> 00:12:27.360
Twitter. They were quite happy because they said oh, yes, we made a big mistake. We are happy that

00:12:27.360 --> 00:12:34.140
it’s happening right now and not when our database will be bigger.

00:12:34.140 --> 00:12:39.360
JACK: That was that. Everything got cleaned up and that story is over. After the break,

00:12:39.360 --> 00:12:48.300
we’ll hear some other adventures that Elliot got himself involved in. Stay with us. For

00:12:48.300 --> 00:12:51.960
this next part we need to understand what Aadhaar is and to do that,

00:12:51.960 --> 00:12:57.240
I’m going to call up a listener of mine in India. [BEEP] Hello, can you hear me?

00:12:57.240 --> 00:13:00.180
TERABYTE: Am I audible to you? JACK: Yeah, I can hear you.

00:13:00.180 --> 00:13:08.820
TERABYTE: What’s up? How’s it going? JACK: I’m doing a story about somebody

00:13:08.820 --> 00:13:13.419
finding security weaknesses in Aadhaar so I want to understand more about Aadhaar.

00:13:13.419 --> 00:13:16.620
TERABYTE: [00:15:00] Yeah, you talking about that guy Elliot Alderson on Twitter?

00:13:16.620 --> 00:13:18.420
JACK: Yes. TERABYTE: Of course.

00:13:18.420 --> 00:13:22.500
Why not? He’s famous in India. JACK: Jeez, of course. Elliot is famous worldwide;

00:13:22.500 --> 00:13:28.500
France, the US, now India. Okay, so Aadhaar. This is a card that everyone in India carries

00:13:28.500 --> 00:13:33.060
with them in their wallet or purse. It’s sort of like a social security card in the US.

00:13:33.060 --> 00:13:36.780
TERABYTE: Kind of same thing as Aadhaar. Aadhaar is basically

00:13:36.780 --> 00:13:42.240
an identity which now our government is linking to each and every document that we have,

00:13:42.240 --> 00:13:47.820
each and every – if you’re going to get a SIM card, you need to have your Aadhaar linked to

00:13:47.820 --> 00:13:50.760
it. If you’re opening a bank account… JACK: Wait, so if I want to get – oh my gosh,

00:13:50.760 --> 00:13:57.240
so you’re saying if I want to get a cell phone or a bank account, I have to show them my Aadhaar

00:13:57.240 --> 00:14:02.340
card which then links that to me. TERABYTE: Yeah, exactly. Whatever thing

00:14:02.340 --> 00:14:05.880
you’re using nowadays, like if you talk about the cell phone service, internet service,

00:14:05.880 --> 00:14:11.640
you have a credit card, you have your bank account, or maybe you have a gas connection;

00:14:11.640 --> 00:14:15.780
even that counts in it. I mean, with the things you’re getting from the government

00:14:15.780 --> 00:14:22.980
or maybe semi-government bodies, you need to get your Aadhaar linked to it. That’s what they’re

00:14:22.980 --> 00:14:30.480
doing. Since it is linked to really sensitive information, that’s why they’re able.

00:14:30.480 --> 00:14:37.140
JACK: Alright, I think we know enough about Aadhaar now. Let’s go back to Elliot. You’re

00:14:37.140 --> 00:14:43.260
in France, Aadhaar is in India; why do you care about this issue?

00:14:43.260 --> 00:14:52.800
ELLIOT: At first, I didn’t know about Aadhaar two years ago and one of my followers – multiple

00:14:52.800 --> 00:14:58.620
followers came to me and say oh, you should look at the Aadhaar web application. You

00:14:58.620 --> 00:15:07.200
will find some issues, and I did. I found five or six different issue in their application.

00:15:07.200 --> 00:15:16.020
I started to learn more about the whole program. I was like, this is not possible.

00:15:16.020 --> 00:15:23.580
This is horrible in terms of security. The biometric data of people are in danger.

00:15:23.580 --> 00:15:35.940
They don’t care. Also, it’s not because I’m living in France that I should not care about this

00:15:35.940 --> 00:15:43.680
because we will have something like this pretty soon in France. I was discussing with someone in

00:15:43.680 --> 00:15:52.320
the French government and they want to implement something pretty similar in France. It either will

00:15:52.320 --> 00:16:01.980
give some idea to European countries so this is why we need to stay vigilant and we need to advise

00:16:01.980 --> 00:16:10.320
government to tell them okay, if you want to have a number, be careful because as you can see

00:16:10.320 --> 00:16:17.700
in India, they have a lot of issues and they made these mistakes. Don’t do the same mistakes.

00:16:17.700 --> 00:16:21.000
JACK: As Elliot learned more about Aadhaar, the more he didn’t like

00:16:21.000 --> 00:16:24.960
it. He started reading up on it more and more and learned everything he could about

00:16:24.960 --> 00:16:32.520
it. One news article stood out for him. ELLIOT: That someone with a fake card only with

00:16:32.520 --> 00:16:39.540
the correct photo and the other number managed to open some new phone line, managed to use

00:16:39.540 --> 00:16:44.400
some service, phone the other person. JACK: Someone created a fake photo and used

00:16:44.400 --> 00:16:49.620
another person’s Aadhaar number and opened a credit card for that other person. This

00:16:49.620 --> 00:16:53.520
story made it clear to Elliot that Aadhaar numbers should never be posted publically

00:16:53.520 --> 00:16:58.560
because someone can assume your identity and do things in your name. But more so,

00:16:58.560 --> 00:17:02.640
your phone is tied to this number and your bank account, and other things. Maybe your house,

00:17:02.640 --> 00:17:08.640
too. If the underlying system to Aadhaar is weak and exposes too much information about someone,

00:17:08.640 --> 00:17:16.500
this can have horrible consequences. ELLIOT: They have to be very careful about

00:17:16.500 --> 00:17:24.360
this. This is like a you have these sort of things in the US, a social security number. You don’t

00:17:24.360 --> 00:17:34.080
publish your social security number online. In France you cannot find your identity card,

00:17:34.080 --> 00:17:40.440
it’s super complicated in France to find another identity card. In India you can

00:17:40.440 --> 00:17:48.000
find thousands of Aadhaar cards. They have to consider this Aadhaar number,

00:17:48.000 --> 00:17:57.060
this Aadhaar card like an identity card, like a social security number. This is personal data and

00:17:57.060 --> 00:18:01.980
they shouldn’t share it publically. JACK: As Elliot is researching this,

00:18:01.980 --> 00:18:06.780
he decides to challenge himself. He decided to see how many Aadhaar numbers he could

00:18:06.780 --> 00:18:11.640
find publically in three hours. These would be numbers that maybe someone tweeted about

00:18:11.640 --> 00:18:17.100
or posted or [00:20:00] put on a website. He wasn’t sure how he’d find them or where he’d

00:18:17.100 --> 00:18:22.620
find them but he wanted to know how many of these were exposed to anyone on the internet.

00:18:22.620 --> 00:18:34.920
ELLIOT: [MUSIC] It was pretty easy to find Aadhaar cards online because

00:18:34.920 --> 00:18:43.680
everybody was asking to Indian; are they Aadhaar cards? Nobody secures the data.

00:18:43.680 --> 00:18:55.440
What I did is, with some pretty good search query, I found a lot of Aadhaar cards. After that, I

00:18:55.440 --> 00:19:03.480
created an automatic scraper in order to retrieve all the data automatically. Like this, I managed

00:19:03.480 --> 00:19:08.640
to find thousands and thousands of cards. JACK:

00:19:08.640 --> 00:19:13.680
Keep in mind, not a single one of these Aadhaar card numbers should be publically exposed,

00:19:13.680 --> 00:19:18.660
yet he was finding a bunch. He was live-tweeting this entire challenge. His first search,

00:19:18.660 --> 00:19:24.840
he found twenty-five cards. Then he refined his search and was able to find a huge list of

00:19:24.840 --> 00:19:29.280
18,000 Aadhaar numbers. Then he tweeted that he found a few more here and a few more there,

00:19:29.280 --> 00:19:34.440
then another dump of five hundred more cards, then he found seven hundred more. Within three hours,

00:19:34.440 --> 00:19:41.040
Elliot found 20,000 Aadhaar numbers listed publically online for anyone to see who would just

00:19:41.040 --> 00:19:48.180
do this simple Google search. This was bad. ELLIOT: Yes, if I remember correctly,

00:19:48.180 --> 00:19:58.140
there was another center of the government – one of the instances I found was owned

00:19:58.140 --> 00:20:03.720
by the place where people are going in order to create an Aadhaar card. This

00:20:03.720 --> 00:20:10.080
is why there was so much cards in it. JACK: Jeez, even the place that makes Aadhaar

00:20:10.080 --> 00:20:14.040
cards was leaking information. After this challenge, Elliot put his Google searches

00:20:14.040 --> 00:20:18.180
and Python script onto his GitHub account and published it for everyone to see how they can

00:20:18.180 --> 00:20:22.740
find their own Aadhaar numbers online. At this point, the Indian government started to take

00:20:22.740 --> 00:20:29.700
notice of Elliot’s tweets. ELLIOT: Yes, they did.

00:20:29.700 --> 00:20:38.640
They removed everything at least, I think two days or three days after that.

00:20:38.640 --> 00:20:45.000
JACK: Crazy. Elliot is sort of like an internet vigilante helping a little there, embarrassing a

00:20:45.000 --> 00:20:51.240
little here. Wherever he goes, security does seem to get better. Elliot kept poking around in India,

00:20:51.240 --> 00:20:57.180
checking out the scene, learning the culture. The Prime Minister of India is Narendra Modi and he

00:20:57.180 --> 00:21:06.360
has his own website, narendramodi.in. Elliot went to this website and inspected it a little. [MUSIC]

00:21:06.360 --> 00:21:12.600
He discovered a vulnerability on it which allowed him to upload whatever file he wanted to their

00:21:12.600 --> 00:21:19.620
site. This was definitely not good for the Prime Minister’s website to have a vulnerability.

00:21:19.620 --> 00:21:26.160
What’s Elliot do? He tweets it. His tweet said, “Hi @narendramodi. A security issue

00:21:26.160 --> 00:21:30.900
has been detected on your website. An anonymous source uploaded a text file containing my name

00:21:30.900 --> 00:21:36.180
to your website. He also has full access to your database. You should contact me in private and

00:21:36.180 --> 00:21:42.540
start a security audit ASAP.” Elliot posted a screenshot of the text file that magically

00:21:42.540 --> 00:21:49.620
appeared on the Prime Minister’s website. ELLIOT: After that, the office of Narendra Modi

00:21:49.620 --> 00:21:57.180
contacted me and these guys were pretty friendly and the contact was cool. They

00:21:57.180 --> 00:22:03.180
tried to understand what was the issue. JACK: You hear that? This absolutely boggles my

00:22:03.180 --> 00:22:07.620
mind; Elliot apparently hacked into the Prime Minister’s website and then tweeted about it,

00:22:07.620 --> 00:22:12.300
and he was called by their office. Elliot describes the experience as they were friendly

00:22:12.300 --> 00:22:18.720
and it was cool. Other hackers might have had a really hard time doing this. I just wonder why

00:22:18.720 --> 00:22:23.220
Elliot is able to get away with this. Is it because of so many Twitter followers he has

00:22:23.220 --> 00:22:29.640
or the intent that makes it okay? His history of doing this? It’s just so strange to me. Hacking

00:22:29.640 --> 00:22:35.220
into someone else’s websites and apps should be illegal, right? But he’s perfectly fine doing it

00:22:35.220 --> 00:22:40.320
and being open about it. I mean yeah, he goes by Elliot online but you heard him at the top of the

00:22:40.320 --> 00:22:45.420
show say his real name; Robert Baptiste. He’s not hiding from anyone while he does all

00:22:45.420 --> 00:22:51.060
this. No wonder it’s so exciting to watch his Twitter account. As you might have guessed,

00:22:51.060 --> 00:22:56.040
there are factions within India. Some people like the Aadhaar system and think it’s great. Others

00:22:56.040 --> 00:23:01.560
don’t. There’s a government official named R S Sharma and he’s the Chairman of India’s Telecom

00:23:01.560 --> 00:23:06.300
Regulatory Authority. This isn’t the agency that handles the Aadhaar numbers but instead

00:23:06.300 --> 00:23:12.060
it deals with telecom stuff. Okay, fine, but one day R S Sharma, a government official, got

00:23:12.060 --> 00:23:18.360
tired of hearing people complain [00:25:00] about Aadhaar and he tweeted something. R S Sharma wrote

00:23:18.360 --> 00:23:29.220
quote, “My Aadhaar number is 762177682740. Now, I give this challenge to you; show me one concrete

00:23:29.220 --> 00:23:39.300
example where you can do any harm to me.” Oh my gosh; R S Sharma, you are about to meet Elliot

00:23:39.300 --> 00:23:42.060
Alderson. ELLIOT:

00:23:42.060 --> 00:23:48.960
[MUSIC] People helped me. A lot of people sent me information and we did it and we managed to find

00:23:48.960 --> 00:23:53.820
almost everything on him pretty easily. JACK: Like what?

00:23:53.820 --> 00:24:04.620
ELLIOT: Like his personal details so his address, his name, his personal photos with his wife, with

00:24:04.620 --> 00:24:13.680
his kids, his phone number, everything. JACK: Elliot started posting a flood of tweets;

00:24:13.680 --> 00:24:17.280
first, this guy’s phone number, then the phone number of his secretary,

00:24:17.280 --> 00:24:22.440
then his e-mail address. Then Elliot checked his e-mail in haveibeenpwned.com and yep,

00:24:22.440 --> 00:24:27.180
the e-mail was in a breach as well. Then Elliot used the Aadhaar number to figure out his WhatsApp

00:24:27.180 --> 00:24:32.580
profile picture and posted that. Then his date of birth and his home address, and Elliot somehow

00:24:32.580 --> 00:24:36.120
checked to see if there was a bank account tied to this Aadhaar number but there wasn’t.

00:24:36.120 --> 00:24:47.700
ELLIOT: Doxing is very, very bad and people shouldn’t do it. I only published a redacted

00:24:47.700 --> 00:24:54.180
screenshot and I tried to remove all his personal details. I just wanted to show him

00:24:54.180 --> 00:25:05.220
that we had his info, that’s all. The goal was really not to publish his details. This is not

00:25:05.220 --> 00:25:09.840
doxing. The goal was not to dox him. JACK: Just in case you didn’t make that out,

00:25:09.840 --> 00:25:14.100
Elliot was blacking out the actual details on these tweets. He’s just showing enough information

00:25:14.100 --> 00:25:19.320
to prove that he had the info. Elliot and his followers were using a combination of open-source

00:25:19.320 --> 00:25:25.320
research like Sky and Google but also exploiting some of the weaknesses in Aadhaar itself. At this

00:25:25.320 --> 00:25:32.220
point, R S Sharma saw Elliot’s tweets. ELLIOT: I think this guy was surprised because

00:25:32.220 --> 00:25:42.720
he was convinced that nobody will manage to find something. I think he was surprised. A few days

00:25:42.720 --> 00:25:54.540
after that he tried to say no, you shouldn’t publish the Aadhaar number but hackers didn’t

00:25:54.540 --> 00:26:02.160
manage to find my personal data through my Aadhaar number so it means they find my

00:26:02.160 --> 00:26:11.520
personal details because I am a public person, so it means Aadhaar is safe which is partially

00:26:11.520 --> 00:26:19.020
false because there was – some of the information has been found with other vulnerability.

00:26:19.020 --> 00:26:24.960
JACK: From the looks of R S Sharma’s tweets after this, it doesn’t look like he learned his lesson.

00:26:24.960 --> 00:26:30.300
Just to give you an example, his tweet where his Aadhaar number is posted publically is still up

00:26:30.300 --> 00:26:41.220
for anyone to see right now. ELLIOT: [MUSIC]

00:26:41.220 --> 00:26:49.140
I received a direct message on Twitter. A guy from India told me I think I found

00:26:49.140 --> 00:26:57.120
something interesting but you should look at this. I don’t have any details but just look

00:26:57.120 --> 00:27:03.060
at this. He sent me an URL. JACK: The URL was a website called

00:27:03.060 --> 00:27:09.600
Indane. It’s a gas company in India and they serve ninety million families and have nine

00:27:09.600 --> 00:27:12.120
thousand distributors. ELLIOT: When I looked at the

00:27:12.120 --> 00:27:28.080
URL there was Aadhaar number of Indane users. What I did is I managed to modify the URL in

00:27:28.080 --> 00:27:39.780
order to find all the different users of Indane and with that, I wrote an automatic scraper in

00:27:39.780 --> 00:27:46.740
order to do my request automatically. Like this, I managed to get millions of Aadhaar numbers.

00:27:46.740 --> 00:27:51.120
JACK: By just tweaking the URL in the website to try different combinations,

00:27:51.120 --> 00:27:57.660
he found that one of the URLs exposed millions of Aadhaar numbers, all without authentication

00:27:57.660 --> 00:28:02.640
or using an exploit to bypass. Just, if you know the right URL, it’ll give it all to

00:28:02.640 --> 00:28:08.220
you. Elliot knew this was a big deal and this company should not be leaking possibly millions

00:28:08.220 --> 00:28:12.821
of Aadhaar numbers like this. He contacted a journalist to work together on this one.

00:28:12.821 --> 00:28:16.140
ELLIOT: [00:30:00] My goal on – I was working with a journalist at the same

00:28:16.140 --> 00:28:26.760
time so we wanted to understand how big was this breach and I was looking regularly as a

00:28:26.760 --> 00:28:36.900
resort in order to find how many Aadhaar numbers were leaked. The goal was not to get the data;

00:28:36.900 --> 00:28:45.960
I didn’t retrieve the data. I just wanted to see how many Aadhaar numbers were available.

00:28:45.960 --> 00:28:49.800
JACK: He created a scraper to go through the website to try to understand how many numbers

00:28:49.800 --> 00:28:56.280
were leaked. After this script ran, he had the total number of Aadhaar numbers exposed. It was

00:28:56.280 --> 00:29:03.480
6,700,000. ELLIOT: [MUSIC]

00:29:03.480 --> 00:29:07.740
Which is a big number.

00:29:07.740 --> 00:29:09.900
JACK: What did you do with this information?

00:29:09.900 --> 00:29:18.300
ELLIOT: I directly shared the information with a journalist and together we tried to contact Indane

00:29:18.300 --> 00:29:26.340
in order to fix the issue but the problem with this kind of very, very big companies; nobody’s

00:29:26.340 --> 00:29:36.840
answering you. We wait a little bit and after that, Zack from TechCrunch published the story

00:29:36.840 --> 00:29:43.560
and two hours later the problem was fixed. JACK: Two hours later the problem was fixed.

00:29:43.560 --> 00:29:48.660
Whoa; this guy’s crazy.

00:29:48.660 --> 00:29:53.580
I’m sure he never is going to go to India. He’s ruined his reputation there.

00:29:53.580 --> 00:29:59.520
TERABYTE: No, it’s not like that, actually, to be honest. He’s kind of a hero. I find him a heroic

00:29:59.520 --> 00:30:06.480
personality because he opened the eyes. He made us aware how vulnerable it is and how stupid this

00:30:06.480 --> 00:30:12.540
idea is also, getting an Aadhaar. JACK:

00:30:12.540 --> 00:30:17.400
I actually got a chance to meet Elliot in person this year; at Defcon, of course, which I just

00:30:17.400 --> 00:30:23.940
realized is in Paris, in Vegas. Hm, right at home for him, I suppose. Together we sat and watched a

00:30:23.940 --> 00:30:27.900
conference talk together and then chatted for a while. He really does seem like a great guy

00:30:27.900 --> 00:30:32.940
with good intent; willing to give free security assessments to anyone he finds interesting and to

00:30:32.940 --> 00:30:38.100
help people understand the risks of poorly-built websites and applications. After talking with him,

00:30:38.100 --> 00:30:42.900
I do get a better sense of what all this is about. Elliot’s a busy guy, always looking for the next

00:30:42.900 --> 00:30:47.700
thing to do, and he’s endlessly curious. He loves looking for problems but then when he

00:30:47.700 --> 00:30:52.380
finds them, he just wants to forget about them and move on. The easiest way for him to forget

00:30:52.380 --> 00:30:57.060
about it is just to publish it and let someone else deal with it. It’s like he’s transferring

00:30:57.060 --> 00:31:02.100
consciousness. Oh man, I sound hippy-dippy on that one but yeah, he finds this problem,

00:31:02.100 --> 00:31:07.500
it’s in his head, he tweets it and this lets him forget it and now it’s in someone else’s head to

00:31:07.500 --> 00:31:12.420
deal with. This lets him move on to the next thing more quickly. Earlier this year Elliot

00:31:12.420 --> 00:31:17.340
was where he naturally hangs out; on Twitter. He checked to see what Fox News was posting that

00:31:17.340 --> 00:31:25.260
day and he saw another interesting app. ELLIOT: Like Donald Daters, I saw an ad I think,

00:31:25.260 --> 00:31:33.300
on the Fox News Twitter account and I was like okay, maybe I can try to find something

00:31:33.300 --> 00:31:39.720
on it. I downloaded the application. JACK: [MUSIC] This was an Android app and it

00:31:39.720 --> 00:31:46.620
was called 63red. It was an app that’s exactly like Yelp but for people who like Donald Trump.

00:31:46.620 --> 00:31:52.080
I’m not exactly sure why they need their own apps like this; what makes them so special? But yeah,

00:31:52.080 --> 00:31:57.120
this is another one of those apps. Of course, Elliot decides to take a look at it.

00:31:57.120 --> 00:32:02.640
ELLIOT: Very quickly I managed to find a big vulnerability in their API.

00:32:02.640 --> 00:32:06.960
JACK: An Android app can be made two ways; you can write code for it and compile the program

00:32:06.960 --> 00:32:12.120
to run or you can just make the app in HTML 5 using JavaScript and it will run just like

00:32:12.120 --> 00:32:16.620
a website would. It’ll look like an app but it’s actually just like a website underneath.

00:32:16.620 --> 00:32:21.240
Because the app was made like this, Elliot was able to see all the JavaScript used to

00:32:21.240 --> 00:32:27.660
create this website app and in there he found the database URL and API keys to access it.

00:32:27.660 --> 00:32:33.300
This really is as safe as writing your password on a postcard. You just turn the card over to

00:32:33.300 --> 00:32:38.100
see the password or in this case right click, view source, and you see the password.

00:32:38.100 --> 00:32:49.920
ELLIOT: There was no authentication process so everybody has the ability to modify,

00:32:49.920 --> 00:32:57.960
to do whatever they want. You were able to ban an account, to create some friendship between

00:32:57.960 --> 00:33:06.840
the accounts, to create as much accounts as you want. You were able to do whatever you want. Also,

00:33:06.840 --> 00:33:12.000
there was an accredited credential multiple times on the source code.

00:33:12.000 --> 00:33:17.520
JACK: Elliot found this URL [00:35:00] and the API keys which gave him full read/write access to this

00:33:17.520 --> 00:33:22.020
entire database. You want to give yourself one thousand five-star reviews? No problem;

00:33:22.020 --> 00:33:26.940
done. You want the e-mail addresses of all the users? Okay, here. What Elliot found

00:33:26.940 --> 00:33:34.500
gave him full control of the database. ELLIOT: When I found the vulnerabilities, I tried

00:33:34.500 --> 00:33:40.980
everything in order to see if I – to confirm the vulnerability and after that I didn’t

00:33:40.980 --> 00:33:51.900
contact the company. I directly published some screenshots of the vulnerability on Twitter.

00:33:51.900 --> 00:34:02.160
I tried to redact as maximum I could on the screenshot.

00:34:02.160 --> 00:34:10.680
After that, the guys from 63red were pretty angry and they threatened me

00:34:10.680 --> 00:34:20.400
to call the FBI. It was not good. JACK: A-ha! See, I knew this was illegal. I

00:34:20.400 --> 00:34:24.360
knew this was gonna happen, right? You break into someone else’s stuff, you hack their database,

00:34:24.360 --> 00:34:29.400
you post it on Twitter. Yeah, sure, it’s redacted but it’s also proof that you were there. This is

00:34:29.400 --> 00:34:34.200
going too far. It’s breaking the law. Sure enough, the 63red team did see it that way.

00:34:34.200 --> 00:34:40.680
They claimed to have called the FBI to report a quote, “politically motivated attack.” They

00:34:40.680 --> 00:34:45.600
said they want quote, “this perpetrator will be brought to justice and we will pursue this

00:34:45.600 --> 00:34:51.120
matter and all attacks, failed or otherwise, to the utmost extent of the law.” End quote.

00:34:51.120 --> 00:34:55.020
Elliot put his hand in the fire too many times and now he’s getting burned.

00:34:55.020 --> 00:35:04.980
ELLIOT: Yes and no; I mean, someone asked to do this job and people have to understand. They have

00:35:04.980 --> 00:35:11.640
to understand and people and companies have to understand that security researchers, hackers,

00:35:11.640 --> 00:35:19.620
are not bad guys. We are here to help, the InfoSec community in general is here to help

00:35:19.620 --> 00:35:29.460
companies. We are working in companies; this is what we are doing as a job. We are not here to

00:35:29.460 --> 00:35:42.900
destroy their business. It is never good to react like this, like 63red did because if you threaten

00:35:42.900 --> 00:35:51.420
a security researcher is very, very bad on – it’s giving a very bad signal to the community.

00:35:51.420 --> 00:35:57.180
If someone is finding a vulnerability in your system, in your company, you have to thank him

00:35:57.180 --> 00:36:06.960
and say okay, thank you for finding this. You’ve saved me some money because maybe someone with bad

00:36:06.960 --> 00:36:18.540
intentions will maybe already find it and will use it for another purpose. We are the bad guy. We are

00:36:18.540 --> 00:36:27.660
the good guy, sorry, in this story. JACK: That was a Freudian slip in there.

00:36:27.660 --> 00:36:31.320
I think a lot of listeners are gonna wonder if you’re a good guy or a bad guy.

00:36:31.320 --> 00:36:39.540
ELLIOT: This is very important. I tell you I’m a good guy and I don’t earn money with that.

00:36:39.540 --> 00:36:46.800
This is important because this work has to be done by – someone needs to do this work, yeah.

00:36:46.800 --> 00:36:54.900
JACK: Yeah. It’s still funny to me that if you’re not a Trump supporter, you don’t like Trump,

00:36:54.900 --> 00:37:00.540
and you’re there to help people do security research for free, basically, you’re doing it

00:37:00.540 --> 00:37:11.580
on Trump’s – pro-Trump stuff. You know? ELLIOT: Well, this is a partial view for me

00:37:11.580 --> 00:37:20.880
because yes, I found a vulnerability in two pro-Trump applications. You just have to give

00:37:20.880 --> 00:37:31.200
me other US American applications and I will be happy to find another vulnerability. It was

00:37:31.200 --> 00:37:41.880
just an opportunity but my work is way bigger than this. I’m not a political opponent of Trump. I’m

00:37:41.880 --> 00:37:50.790
not doing politics. I’m not even living in the US so I don’t care about Trump at all. Yes, I found

00:37:50.790 --> 00:37:56.760
vulnerabilities in pro-Trump apps but yeah, give me an application of Democrat and I will be happy

00:37:56.760 --> 00:38:02.640
to find a vulnerability in it. This is what I did in India, too. I managed to find vulnerabilities

00:38:02.640 --> 00:38:11.760
in application of both sides. I don’t care about the political side of the owner.

00:38:11.760 --> 00:38:17.280
JACK: You don’t care – [00:40:00] you say your name. I mean, you told me you

00:38:17.280 --> 00:38:24.000
just – at the beginning of the show, Robert. You don’t care that that’s open as well?

00:38:24.000 --> 00:38:34.080
ELLIOT: Yes, I mean, I’m a public person. For two years in a row I was on TV in the US and I was on

00:38:34.080 --> 00:38:42.420
national TV in the US, in Canada, in India, in France. I’m a public person so I’m not doing

00:38:42.420 --> 00:38:49.620
bad stuff. This is why I’m not a bad guy. I’m really trying to do good things. I’m doing good

00:38:49.620 --> 00:38:55.740
things publically and this is really my action. I’m trying to spread the message; security is

00:38:55.740 --> 00:39:04.380
important. Accurate InfoSec community is here to help. We are not afraid. We are not hiding. We

00:39:04.380 --> 00:39:13.260
are here to communicate about security, to find issues. We have no reason to hide. I did nothing

00:39:13.260 --> 00:39:23.160
wrong so I don’t have any reason to hide.