Blog

th3_GR1NCH who wanted to steal Christmas

Dec 21 2021/Security/2 min read
th3_GR1NCH who wanted to steal Christmas
Picture of Alan Carson
by Alan Carson
Happy Packaging! This holiday season we've a couple of fun short stories to share with you!

Lucy > I think someone is trying to hack us...

Alvin > What?

Lucy > a new user th3_GR1NCH created an org called whoville

Lucy > and is probing the api in weird ways

Alvin > Did they find any useful attack vectors?

Lucy > not so far. We’ll monitor

Alvin > Cool. Ping me immediately if something happens

Unbeknownst to Alvin and Lucy, th3_GR1NCH was indeed an infamous hacker. Under other handles, he’d successfully gained access to the New York Stocking Exchange, Christmas card companies, Smithville Town Hall and most recently the Ellingson Toy Company. All to their detriment.

This year, this Christmas, his nefarious scheme was to mess with some dev tools services with active bug bounty programs, and Cloudsmith was fifth on a long list.

After wreaking havoc with the first four service companies, he left them with much work to do over the festive season. He turned his attention to Cloudsmith. “I’ll steal some packages” he chuckled, “that will ruin their Christmas!”

But after signing up to a new user account, and being forced to verify by email (an annoying extra step in signup workflows, but an important one for security reasons), he quickly realized that this might not be that simple. He tried all the methods he used for the first four companies, probing the API and each time was rebuffed with password protections, timeouts and errors. The WAF (web app firewall) was doing its job.

He contacted support as Joey Pardella, a second, new user, and began trying to get them to release information that he could use to gain access to something. They were incredibly knowledgeable and very helpful but gave nothing away.

Lucy > I think they’ve given up

Alvin > Yeah?

Lucy > Yeah. There has been no activity on either of the accounts they created.

Alvin > Did they get access to anything that they shouldn’t have?

Lucy > No. They did get close in one area though. But I’ve thought of an additional check we can add to close that off.

Lucy > I’ve the PR up already. The team is reviewing atm.

Alvin > Awesome! Thank you.

Lucy > Hopefully that’s the last hacker of this season!

Alvin > hopefully

Alvin > what a year it has been...

Get our next blog straight to your inbox