YouTang Times Vulnerability Exposes Security Risks for 400,000 Users

Case Study 1: Weak Administrator Password

The YouTang Times vulnerability exposed nearly 400,000 user accounts, compromising their funds. (Source: https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0126955)

Security Risk 【Fixed】：

1. YouTang Times’s UCenter user management center (http://**.**.**.**/uc_server/admin.php) had a weak password (admin/123456). Login granted access to data for 400,000 users.

Security Recommendations:

1. Admin backends should not be accessible from the internet.
2. Avoid common URLs for admin backends, such as: /admin.php、/admin/login.asp、/manage/index.html;
3. Avoid common usernames for administrator accounts, such as: admin、administrator、root;
4. Implement strong password rules, such as: minimum 8 characters, including at least 2 uppercase and lowercase letters, special characters, and numbers;
5. Implement brute-force prevention mechanisms, such as: CAPTCHAs, account lockout after multiple failed login attempts;
6. Implement two-factor authentication, such as: SMS verification codes, dynamic tokens.

Case Study 2: Weak Administrator Password + Outdoor LED Screen

High-risk vulnerability in Lijiang’s LED display information system allowed for the posting of advertisements (remote control over hundreds of LED screens).https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-076215

Security Risk 【Fixed】：

1. Lijiang’s LED display information system (http://**.**.**.**:8888/main.aspx) had a weak password (admin/123456), allowing for the broadcasting of arbitrary information to 169 outdoor LED screens across the city, negatively impacting the government’s image.

Security Recommendations:

1. Same as Case Study 1.

Case Study 3: Weak Administrator Password + Video Surveillance System

Weak password in a municipal water bureau’s monitoring system allowed real-time monitoring through 366 cameras.https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0125288

Security Risk 【Fixed】：

1. The municipal water bureau’s network video surveillance system (http://**.**.**.**) had a weak password (admin/admin), allowing real-time viewing of footage from 366 surveillance cameras across the city.

Security Recommendations:

1. Same as Case Study 1.

Case Study 4: Weak Administrator Password + Network Equipment

Weak password on network equipment at a municipal earthquake bureau.https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-061840

Security Risk 【Fixed】：

1. A municipal earthquake bureau’s H3C switch (http://**.**.**.**:803/cn/login.html) had a weak password (admin/admin). Common exploitation methods included: 1. Packet capture and download to find account passwords and sensitive files; 2. Modifying ACLs to gain access to the internal network.

Security Recommendations:

1. Same as Case Study 1.

Case Study 5: Weak Administrator Password + File Upload to Get Shell + Server Leaks Source Code and Password File

Weak password at a critical China Telecom branch allowed for gaining a shell (leaked large amounts of internal information and some source code).https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-075512

Security Risk 【Fixed】：

1. A China Telecom points mall operation platform (http://**.**.**.**:9002/Home/Index#) had a weak password (admin/123456). After logging into the backend, an arbitrary file upload vulnerability was used to upload a webshell, gaining operating system privileges. Reviewing the operating system’s source code revealed 0-day vulnerabilities; reviewing password files and configuration files revealed numerous account passwords.

Security Recommendations:

1. Same as Case Study 1.

Case Study 6: Weak Password for Regular User + OA System

Weak password at a COFCO location leaked large amounts of information.https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0126516

Security Risk 【Fixed】：

1. The COFCO OA system (http://**.**.**.**/seeyon/index.jsp) used weak passwords (123456, 111111) to crack common usernames, successfully obtaining numerous valid accounts. Login allowed access to the address book, retrieving personal information (name, department, position, rank, phone number, etc.) for all company employees;
2. If the OA system had email functionality, it could send phishing emails with attachments. Once an employee clicked the attachment, the attacker could gain control of the employee’s computer.

Security Recommendations:

1. Implement strong password rules, such as: minimum 8 characters, including at least 2 uppercase and lowercase letters, special characters, and numbers;
2. Implement brute-force prevention mechanisms, such as: CAPTCHAs, account lockout after multiple failed login attempts;
3. Implement two-factor authentication, such as: SMS verification codes, dynamic tokens.

Case Study 7: Universal Account

SQL injection bypassed login on a Hisense Group system backend.https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-081160

Security Risk 【Fixed】：

1. The Hisense Group’s employee allocation system (**.**.**.**:8080/Web/transfer/login.asp), performance management system (http://**.**.**.**:8080/Web/performance/login.asp), and management standard query system (http://**.**.**.**:8080/Web/standard/login.asp) login forms had SQL injection vulnerabilities. A universal account (admin’ or ‘a’=’a) could successfully log in, granting administrator privileges.

Security Recommendations:

1. Admin backends should not be accessible from the internet.
2. Avoid common URLs for admin backends, such as: /admin.php、/admin/login.asp、/manage/index.html;
3. Implement two-factor authentication, such as: SMS verification codes, dynamic tokens.

Case Study 8: Password Reset Vulnerability

Arbitrary user password reset on a dating app.https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-074412

Security Risk 【Fixed】：

1. A dating app’s (http://**.**.**.**/) password reset interface (POST /data/user/password/reset) had three parameters (code=SMS verification code&mobile=phone number&password=new password). The SMS verification code was 4 digits and could be brute-forced, allowing for password reset and account access.

Security Recommendations:

1. Implement brute-force prevention mechanisms, such as: CAPTCHAs, account lockout after multiple failed login attempts;
2. Increase the SMS verification code to 6 digits, increasing brute-forcing difficulty;
3. Limit the number of uses for each SMS verification code. After multiple incorrect attempts, a new code must be requested, with a waiting period before requesting another code.

Case Study 9: Password Reset Vulnerability

Resetting any user’s password on Tianjin Airlines (account security and sensitive information leak).https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-059947

Security Risk 【Fixed】：

1. Tianjin Airlines’ ticket booking website’s password reset function (http://**.**.**.**/frontend/users/modifyinfo/resetPassword.jsp) involved three steps: entering the username, entering the password protection question answer, and resetting the password. In the second step, the backend sent the answer to the frontend, using JavaScript for verification. This allowed attackers to obtain the security question answer or modify the verification logic, resetting any user’s password and gaining account access.

Security Recommendations:

1. Verify the password protection question answer on the backend.

Case Study 10: Password Reset Vulnerability

Modifying any user’s password on Hexun.com.https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-091216

Security Risk 【Fixed】：

1. Hexun.com’s password recovery (http://**.**.**.**/getpassword_setnew.aspx) involved two steps: entering an email address, which sent a password reset link; clicking the link to reset the password. In the second step, clicking “Resend Email” included the email address. This could be intercepted and modified to send the reset link to a different email address, allowing for password reset and account access for any user.

Security Recommendations:

1. The frontend should not be able to control the recipient email address for password reset links.