I Have Your Password

I Have Your Password

As much as we like to imagine hackers as psychics, evil geniuses, or Ethan Hunt breaking into Langley, most actual hacking is far different.  In reality, perhaps the best analogy of the three is as a psychic.  Not a supernatural psychic, but more like a mall psychic:  using a combination of basic logic and cold reading skills.

“Pictured here:  only 19% of all hacking.”

Most hackers gain access to improper materials simply by uncovering the password needed to access the information.  And if they don’t actually cull it from its source (which, really, is cheating), then they usually guess it.

This is not an uncommon thing, do you remember Sarah Palin? Back in 2008 this exact thing happened when her free Yahoo Mail account was “hacked.” Wired.com covered the method used in “Palin E-mail Hacker Says It Was Easy”

“As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.”

As funny or light-hearted as this might sound, this hack had serious consequences for the Palin family in the wake of the breach.

In her book “Going Rogue”, Palin wrote that the McCain campaign confiscated her kids’ phones, and she and her friends and family had to cancel personal and business accounts that had been exposed by the hack; as a result, she could no longer contact her kids.  By the time it was over, some people had doubts about her intelligence and fitness to govern.

Seven years later, things don’t seem to be getting any better. South Korea is experiencing the “Palin problem” on a massive scale; their passwords are getting hacked.  According to this recent article:

“Internet users in Korea are notoriously more exposed to security risks than their counterparts in other countries, partly because their password hints are too easy to guess.”

According to the article, too many Koreans suggested questions such as “the city where you were born” and “what’s your favorite food”.  Apparently the answer to the first question is “Seoul” nearly 40% of the time.  The article doesn’t say their most popular favorite food, though I encourage you to guess “rice” if you’re a racist.


Here are some other security questions you should stay away from if you do not want your password swindled, along with the common answer.  As the article suggests, the dangerous questions vary by country.

South Korea:

“Who is your least favorite dictator?“ (Kim Jung-Un)

“How many doors does your Kia Sorrento have?”  (4)

“What is your favorite classic sitcom grossly mischaracterizing the American army experience?  (Seinfeld)

North Korea:

“Spell ‘Pyongyang’.”  (Pyongyang)

“What is your favorite Kim Jung-Un superpower?”  (Invisibility)

“What physical sensation are you most experiencing right now?”  (Hunger)


“What is your favorite alcoholic beverage?” (Sake)

“Which emotion best describes your attitude toward your performance at work?”  (Overriding sense of shame)


“What is your favorite kind of leaf?”  (Maple)

“What’s your favorite kind of bacon?”  (Back)

“What is your favorite place to get coffee?” (Tim Horton’s)

“Which Star Trek character do you most like to depict on our defaced currency?”  (Spock)

“Do you mind if I borrow your password and steal all of your confidential information?”  (Sure; no worries.)


“What is your favorite color?”  (Green)

“What is your favorite holiday?”  (St. Patrick’s Day)

“What is your favorite whiskey?”  (Wet)


“What is your favorite kind of cheese?” (Swiss)

“What is your favorite kind of chocolate?” (Swiss)

“What is your favorite kind of army knife?” (Swiss)

Vatican City:

“What is your favorite dead language?”  (Latin)

“With what major religion do you most identify?”  (Catholicism)

“What does your significant other do for a living?”  (Altar Boy)


“What was the name of your first pet?”  (Fifi)

“Voulez-vous couchez avec moi ce soir?”  (Oui)

“What was your favorite childhood activity?”  (Smoking or Drinking Wine (tie))


“Who is your favorite President?”  (That old white guy)

“What is the last thing you said to a police officer?”  (Ouch)

“How obese are you?”  (Morbidly)

Of course, these were all quite silly; some of them arguably even edgy.  Do you have your own funny suggestions?  Email them to bryan@seelysecurity.com.
Be sure to include your name, email address, the street where you grew up, the name of your first pet, and the name of your third grade teacher.

Or, if you want to find out if someone else already has your credit card number, email it to me and I’ll tell you.

The Racism on Google Maps Seems To Be Gone, So What Is This?

The Racism on Google Maps Seems To Be Gone, So What Is This?

Late last night, Jon Russell of TechCrunch wrote:

“Google has confirmed that it is making changes to its Google Maps service to stop racist terms and other inappropriate words from displaying location search results. The issue blew up this week after searches for “n*****” or “nigga” were found to pull up the White House and other locations associated with African Americans and other ethnic minorities.”

Most people would never type those words into Google Maps, yet when someone did, the White House came up as the top search result. Another search for “N*gger University” turned up as being “Howard University.” These were initially posted to Twitter by a user of Twitter named Bomani X @AceBoonCoon, who spoke with me a couple hours after making the shocking discovery about his Alma Mater.

Google posted a blog entry titled “Sorry for our Google Maps search mess up”, in which the VP of Engineering & Product Management, Jen Fitzpatrick, says:

“This week, we had some problems with Google Maps, which was displaying results for certain offensive search queries. Like many of you, we were deeply upset by this issue, and we are fixing it now. We apologize this has taken some time to resolve, and want to share more about what we are doing to correct the problem.

At Google, we work hard to bring people the information they are looking for, including information about the physical world through Google Maps. Our ranking systems are designed to return results that match a person’s query. For Maps, this means using content about businesses and other public places from across the web. But this week, we heard about a failure in our system—loud and clear. Certain offensive search terms were triggering unexpected maps results, typically because people had used the offensive term in online discussions of the place. This surfaced inappropriate results that users likely weren’t looking for.

Our team has been working hard to fix this issue. Building upon a key algorithmic change we developed for Google Search, we’ve started to update our ranking system to address the majority of these searches—this will gradually roll out globally and we’ll continue to refine our systems over time. Simply put, you shouldn’t see these kinds of results in Google Maps, and we’re taking steps to make sure you don’t.

Again, we sincerely apologize for the offense this has caused, and we will do better in the future.”

Just before midnight on May 21st, Twitter user Ardit Ferizi posted a screenshot taken of a Google Maps search for ‘prostitution house’ which (sure enough) points to the White House. I repeated these results at 0600 PST, May 22nd, and the results are the same.


Some free advice:

If the staff at Google Maps needs helping getting out of the woods, perhaps they should try Apple Maps or Bing.

This is just more evidence that Google is trying to cure a cancer with a series of Band-Aids.  The solution is not to maintain the status quo, and then remove offensive content one at a time as they find it.  As I’ve been saying for a long time, the solution needs to be systemic.  Sign this Petition and help be part of the solution.

Breaking News: Howard University shows up as 'N***er University' on Google Maps

Breaking News: Howard University shows up as 'N***er University' on Google Maps

BREAKING NEWS: A few hours ago, Bomani X @AceBoonCoon  updated his twitter feed with yet another one of his shocking discoveries on Google Maps.  Yesterday the world took notice when he posted an image of his Google Maps results where he found that when he searched for the keyword ‘nigga’ or ‘nigger’ , the White House would come up. Unfortunately, President Obama and his family are not the only targets of this deplorable prank. When you run a Google Maps search for ‘nigger university’ you get search results for ‘Howard University,’ a private university in Washington, D.C.howard university

I spoke with the 22 year old Bomani just a few minutes ago to find out how he came across this new discovery:

“I am a recent graduate of Howard University, and after finding the Google Maps results for ‘nigger house’ a group of us Howard Alumni were looking around Google Maps to see if there was more.”
“We were discussing the issue for quite a long time when we found ‘nigger university’ and it turns out that those results were for the University we just graduated from.”

Bomani went on to say that

“I felt very disheartened to find these results in 2015. I just graduated from Howard University you know?  And to have graduated from such a prestigious university, and achieved something I can be proud of, this [discovery] made it feel like that accomplishment was being diminished.”

According to Wikipedia: Howard University is a federally chartered, private, coeducational, nonsectarian, historically black university in Washington, D.C. It is classified as a research university with high research activity. 

Based on that description, one can only assume that the racist prankster singled out “historically black university” and decided to insult not only President Obama and his family, but everyone at Howard University and ultimately everyone of color. Surpassing that, I think it would be safe to say that anyone with basic human decency would be offended at the notion of putting down a group of people based on skin color.

Defacing Google Maps around the world for fun or to draw attention to a larger problem is nothing new. Read some of my previous blog entries to see for yourself. Publicly attacking an entire race of people accomplishes nothing but dividing humans from other humans, instead of finding commonalities which bring people together. This country has had a rocky past, as have most others. Our strength is in our ability to unite in spite of our differences. The more we dialogue and refuse to be divided, the stronger we will be.

Google Maps has disabled their MapMaker Product as of May 12th, yet more and more ‘bad edits’ and inaccurate data comes to light. Considering that Google  rectify these various flaws, how many more institutions and historic landmarks need to be publicly defaced with the most vile and racist word in the English Language before Google actually fixes the problem?

There is already a petition to ask Google to fix the problem. Sign it, and lets see if we can at least prevent this from continuing to happen again.



Google Maps shows White House as ‘N***er House’

Google Maps shows White House as ‘N***er House’

Yesterday, The Huffington Post and other media outlets across the world reported that when Google Maps users searched for the words ‘nigga house’ and ‘nigger house’ the results would pull up The White House.  I shouldn’t be surprised by the extremely racist and hateful actions, but I am.


Many people in the online world know me for a variety of Google Maps related pranks such showing Google Maps to suggest that Edward Snowden was hiding out on the White House lawngoogle-maps-edward-snowden-edwards-snow-den, and probably the most notorious prank was last year when I demonstrated that Google Maps could be used to intercept calls to the Secret Service & FBI. That prank alone caused Google Maps to shut down their verification of new businesses for six weeks while they evaluated their practices. More about this in my recent TEDx talk, Wiretapping The Secret Service Can Be Easy & Fun.

Ah, lovely memories.  (Seriously; I’m pleasantly surprised that the Secret Service let me keep my memories.)

A pathetically racist stunt like this is, to put it mildly, nine miles below me.  But at first blush, it has potentially broad ramifications.  Racists are not generally renowned for their massive intellects.  Indeed, quite the exact opposite.  So the idea that one person could simultaneously be ignorant enough to think that the most vile epithet in the English language should direct people to our nation’s most powerful person, yet also smart enough to hack Google Maps, could make us question whether our assessment of racists as a class of people is incorrect.  And the irony is positively Morrissette-esque to ponder that perhaps the very blind prejudice that we abhor so much in racists may indeed blind us ourselves to the multiplicity of people who happen to hold different views on racial equality than we do. Perhaps our own intolerance of intolerance is as inappropriate as intolerance itself.

Don’t worry, liberals and moderates and everybody who knows how to spell “KKK”, but chooses not to.  There’s a much simpler explanation.  In fact, Google Maps has been so easy to “hack” that even a racist moron can do it.

But believe it or not, there are abuses of Google Maps arguably viler than an offensive piece of Presidential humor.  Don’t get me wrong; I hate THAT WORD the maximum amount that that word can be hated.  But if there’s one thing that is arguably even more offensive than a piece of hate speech, it’s billions of dollars in fraud every year, which scammers and spammers steal from legitimate businesses and government offers every year through hacks of Google Maps and the other search engines.

The problem is so bad that it’s why I recorded calls to the Secret Service in the first place; and why I’m writing a book exposing the problem that will be released later this year.

You may have noticed that I used the past tense to describe the ease with which even the most cerebrally challenged individual can manipulate Google Maps.  That is because as of right now, Google has – much to its credit – disabled one of the main sources of fake businesses, their Mapmaker product.  Google is currently pondering potential changes to the site that could reduce, or even eliminate, our ability as citizens to pull “pranks” like the ones we are discussing (both the racist one and that multi-billion dollar one).  You can help try to inspire Google to make real change by signing this Petition to lobby Google to make specific changes that could add billions to the revenues of legitimate businesses and public coffers.

The current “prank” is definitely beneath me.  But the practices that made it so insanely easy to add race hate to the world’s most popular search engine are beneath Google.  And if this story helps tip Google even a little bit closer to the wholesale changes to Maps that are vitally necessary, then it shows that even the most disgusting pile of shit can help to fertilize a beautiful plant.


10 Best Google Maps Pranks

10 Best Google Maps Pranks

Google Maps has had quite a bit of the spotlight recently, with various user-submitted pranks making international headlines
under Google’s watchful nose. I myself have been responsible for more than just a few of these pranks.

1. Edward Snowden’s Super Secret Hiding Place
(on the lawn of the White House)

This is easily my favorite. It was the first in this list because it was my first Edward Snowden / White House related Google Maps prank.
Komo news even filmed the process and watched me build it live. Along with renaming the Library of Congress to the Zoolander School For Kids Who Can’t Read Good.

Snowden Super Secret Hiding Place













2. Intercepting Calls to the Secret Service & FBI

This was less of a prank and more of a practical / ominous demonstration of what can actually be accomplished when Google Maps has very large holes in their security / verification processes. I was able to build business listings that were identical to the real Secret Service in Washington DC, and the FBI in San Francisco. Within a few minutes, I was able to manipulate reviews, and outrank the originals, and then any calls to my fake business listings would then be routed directly to the real Secret Service & FBI. In the first day there were quite a few calls to these fake listings from unsuspecting local and federal agents that I was able to record and then demonstrate live to the Secret Service.  I just gave a TEDx talk where you can hear more about it if you like.  This article is from ValleyWag / Gawker by Nitasha Tiku. You can even hear 2 of the recorded calls that were in this original news story.














3. Jack Bauer’s Old Hiding Spot

Who doesn’t like Jack Bauer?  Remember how he spent a lot of time at the White House? I thought people would like to see that be more official.











4. Edward’s Snow Den – Snowboarding Shop
(inside the White House) Link

I built this on April 7th or so, to be used in a demonstration for my TEDx talk to show how the flaw that existed for the Secret Service prank still exists over a year later.
Someone ended up finding this and it made news all over the world, and I started to get messages from friends and family, and journalists who know of my previous “shenanigans.”







5. North Korean Concentration Camp Gets Renamed

Kim Jong Un is ridiculous. In a bad way. In a, I have nuclear weapons and don’t take my medication sort of way.
So I found a concentration camp on the map, and renamed it to something more appropriate.













6. The Church of Scientology aka church with no sense of humor. Or Sense.

Some of my friends told me that making fun of the “Church” of scientology is not a wise idea. Well neither was potentially getting sent to Guantanamo Bay for doing my best impression of the NSA and recording the government.













7. Vlad The Impaler

This guys views on LGBT rights are practically in the stone age. Sucks that he is one of the richest people in the world and most people
who stand up to him end up getting shot and left for dead in the street in the middle of day.














8. The Mormon Comedy Club (at the Mormon Temple in Salt Lake City, UT)

Man, I really love Southpark, specifically Matt Stone and Trey Parker.  They are consistently willing to challenge authority and show that not everything should just be accepted without criticism.
They are hysterical, and so I made the Mormon Temple into the Mormon Comedy Club.













9. Westboro Baptist Church

These guys know how to take a joke right?
They never ever react horribly or blow things out of proportion?
Someone send this to them.













10. Google Android Pees on Apple Logo

Of the top 10 in this post, this is the first one that I did not create. But I had to pay respects to the time and effort that went into creating this.
This prank along with numerous others (listed above) were large factors in Google’s decision to suspend the MapMaker product which acts as crowdsourcing tool to all Google Maps users to submit “helpful” content that would then appear on Google Maps. Looks like they didn’t prevent a lot of the “helpful” data from showing up on the map.









CyberDust | Mark Cuban's Privacy Keystroke Of Genius

The tension between technology and privacy is not new.  Imagine the excitement of the first man to hold a pair of binoculars, before the world knew that such a thing could even exist.  He could see what others thought was safely hidden.  (Boobs, one only assumes.)  Granted, the power to invade privacy with complete freedom can have its downside; just ask Gollum.

Before binoculars, a person had the right to believe that, if there was nobody visible outside her window, her privacy was secure.  After binoculars….if you didn’t close your blinds, you were looking to put on a show.

This basic human truth has evolved into a concept of law called “the reasonable expectation of privacy”.  It was birthed by our Supreme Court in Katz v. United States, where the Court decided that a person had the right to believe that his conversation in a phone booth would be private; even though he was in public.  That was a bad day for cops who wanted the only pair of binoculars in town.  Technology made an advance (the wiretap), and then privacy reclaimed some of that ground.  The system maintained some level of balance.

But in the nearly 50 years since Katz, privacy has been on a nasty losing streak.  Technology has done a progressively better job of capturing moments that had previously been private.  And now, with cameras and smart phones everywhere, the zone where you have a right to a “reasonable expectation of privacy” has narrowed to basically your bathroom with the lights off.  Most of the general public is not even sure what their privacy rights are, let alone what to demand as a fundamental privacy right.  As we are all conditioned to expect less and less privacy, expressions like “Don’t write anything in an email you wouldn’t want to see on the front page of the New York Times” start finding their way into our day to day life.

We are so used to the notion that everything we write and say is immune to privacy that it would serve us well to take a deep breath and realize just how f-ed up and out of proportion our world has become.  Really?  Just because you text “meet me at the restaurant” instead of saying it into someone’s ear, it HAS to exist for all time?  And if you’re meeting someone at the restaurant to pick up a dime bag of weed (in 48 states, at least), a cop can read the text and throw you in jail?  There has always been a tension between technology and privacy…but lately, technology has been the inmate with all the muscles and tattoos, and privacy has been the accountant convicted of tax evasion.


Well, good news for privacy fans:  Mark Cuban had a keystroke of genius (his record of success is far too long for it to be luck) with his new app called CyberDust. Cyberdust is the future of text messaging and replaces most email communications as well. Mark has publicly demonstrated that by conducting business via the cutting edge mobile app.  Earlier this year, BusinessInsider.com reported that after Mark Cuban’s email correspondence was leaked as a result of the Sony hack, he negotiated a new contract exclusively over Cyber Dust.  When the most demanding shark in the entire tank uses Cyber Dust every day, you can be sure the bugs have been worked out.

The concept is simple. Cyber Dust messages disappear 24 seconds after you open them. They do not get stored, saved, cataloged or archived. Once the message disappears, that’s it. At first it seems like a dream and a nightmare rolled into one.  What if you forget what you just read 30 seconds ago?  Our modern age has conditioned us NOT to remember things, because we know that information typically lasts forever.  But on the plus side….this does mean that you at least have a fighting chance of keeping your private conversations exactly what you indended them to be. Private.

Obviously, just because the technology exists doesn’t mean that it’s for everyone.  Some people like the transparency and permanence of the current state of technology.  Some think it’s an Orwellian nightmare from which we’ve been waiting for decades to emerge.  Reasonable minds can disagree.  I am sure that if you are in the “If you are doing nothing wrong, then you have nothing to hide” camp then you wouldn’t mind the government putting audio and video surveillance inside your home or asking you questions about your emails. You go ahead and volunteer and tell the rest of us how things are going.

The implications of Cyber Dust are more profound than the mere fact that some people will use it.  Its very existence opens the door to the fact that Americans could once again have a reasonable expectation of privacy in what happens on their phones.  Perhaps, just like in Katz, our Supreme Court could strike a blow against the kids (the cops) living the good life in the candy store (nearly ubiquitous access to our everyday lives).  Sure, a ruling like that would require not just the right facts, but for 2-3 conservative justices to die before President Obama leaves office; preferably at an “Eyes Wide Shut” type orgy gone horribly right; I mean, wrong.  (Hey, a libertarian can dream.)

From a privacy and security perspective, this app sets a new standard that many developers will find hard to live up to. It has a lot of the novelty that silicon valley craves, as well as keeping  end users protected, and even cultivating an environment where people on Hollywood’s A-List can feel safe & free to talk without having to worry about their unfiltered remarks ending up on the front page of TMZ.

You might not be shocked to learn that Mark uses the app he owns. Would you be surprised to learn that you can download the app  (available on Android & Apple Store)  and send Mark  a message that he will reply to?  His Cyber Dust ID is blogmaverick in case you wanted to give it a shot.  The other sharks from Shark Tank are on Cyber Dust, as well as numerous Mavericks players, celebrities and technology icons. Cyber Dust has a “popular” list of users here.

If you have any computer or cyber security questions, feel free to message me on CyberDust, my ID is +bryanthemapsguy.

About The Author
Bryan Seely is a former US Marine, ethical hacker, author and cyber security consultant.
Watch Bryan in his recent TEDx talk “Wiretapping The Secret Service Can Be Easy & Fun!” Link
Add Bryan on Linkedin.com 



Why Google May Finally Be Done Ripping You Off

As of yesterday, Google has disabled its “Mapmaker” feature.  According to SearchEngineLand, who spoke to Google insiders, the reason is to attempt to curb “pranks” such as my hilarious and moderately known classics:  Edward’s Snow Den in the White House, and several from February of 2014 detailed on Blumenthals blog including a different Snowden related prank on the White House lawn.

Of course, I did not make these “pranks” because I love a good joke.  Rather, I have gone to great lengths to attempt to expose the multi-billion dollar fraud that spammers and scammers use Google Maps to perpetrate on the American public.  In short:  fake business listings dominate the Google landscape.  If you hire one of these businesses and you get cheated, you have no recourse.  If you hire one of these businesses and you don’t get cheated, the government does; these fake businesses do not pay taxes.  The problem is so massive that I’m writing a book in the hopes of exposing the fraud perpetrated not just through Google, but through the other search engines as well.

That’s why this development from Google is such a big deal, and why it could lead to even more monumental progress in the battle of good versus evil.  I heartily commend Google for disabling the feature to reevaluate its practices, and sincerely thank them for it.

Of course, Google has disabled this feature once before.  Back in 2014, all I had to do was use Google Maps to wiretap the Secret Service, then confess to what I did, then persuade the Secret Service I wasn’t crazy, then watch the Secret Service ask Google to fix the problem.  And it worked; Google shut down the service for six weeks.  Then it re-enabled it, with no visible improvements whatsoever.

This time, I’m really hoping that they take better advantage of their hiatus.

But what do I want them to do specifically?  I’m glad you asked, me.  In short:

  1. Require businesses to disclose a physical address, either to Google privately or publicly, rather than permit the use of so-called “Postal Box” stores, which make fraudulent listings far easier.
  2. Discontinue its telephone verification system for businesses, in favor of cross-referencing the prospective listing against business license records or reasonably equivalent information, to effectively prevent fraudulent businesses from obtaining Google listings.
  3. Improve reporting tools to provide an efficient and transparent means for fraudulent businesses identified by the public to be removed by Google.
  4. Limit the abuse permitted through crowdsourcing by limiting the number of edits that company profiles are allowed to make without additional scrutiny being applied.

Some of these changes wouldn’t cost them anything; others might cost them a lot.  But the cost of not making these changes is simply too high.

To paraphrase Jerry Maguire, help me help Google help you.  Sign the ONLINE PETITION, asking Google to make these changes before they reinstate Mapmaker.  Post it around Ye Olde Internete, and let’s get as many signatures on this petition as possible before Google decides what to do.

If Google follows these suggestions, I will fly to their headquarters at my own expense to thank them in person.  I might not even get kicked out of their lobby by security.  If they don’t….well, there’s always the book.

Google MapMaker taken offline Because Of Hacker

One month ago, I gave a TEDx talk called “Wiretapping the Secret Service Can be Easy & Fun” at TEDx Kirkland.

Today I got word that SearchEngineLand.com was reporting that Google MapMaker will be taken offline because of increasing amounts of fake and fraudulent edits that they are no longer able to hide from the general public. In essence, MapMaker and the Google Maps product ecosystem is completely out of control.

According to Barry Schwartz, the author of the article:

“But these hacks and fraudulent edits have been going on for a long long time, it took one mans effortsBryan Seely, to expose these loopholes to the world to force Google to take down Map Maker”

The Google MapMaker team spoke with Barry Schwartz of SearchEngineLand.com and attributed the decision to take MapMaker offline because of various pranks and spammy edits such as Edward’s Snow Den in the White House and a Google Android character was doing its business on the Apple Logo.



I could not be more happy at Google’s decision to suspend their MapMaker product. Personally, this fight to get Google to acknowledge the problem even exists has dragged on for far too long.

It has been 1 month to the day that I gave a TEDx talk that specifically addressed many problems at Google Maps and other local business directories, and to hear that their decision has been attributed to my efforts makes the entire fight worth it. It has not been any easy journey, and I had to pull out some crazy tricks that I would not care to repeat to get the job done. Intercepting calls to the US Government is not something I would ever recommend, and the odds that I would have gone to prison are far higher than I wanted to think about.

There is still more to be done, lots more. My work is not finished by any stretch of the imagination, but if you would like to help, like this article and share it. The more people who can see the truth for what it is, the sooner we can put an end to maps fraud.

Bryan Seely


Hacking LinkedIn and my surprising discovery

Hacking LinkedIn and my surprising discovery

I really need to find a better hobby. Apparently, normal people don’t think about website behaviors nor do they try to exploit them like some damn child prodigy looking at a crypto puzzle in a Bruce Willis Movie (Mercury Rising). I’m not saying I am a child prodigy by any means. I am 31.

This story starts on a sunny day in Seattle, and yes, we have plenty of those days here. 5 to be exact. The rest of the year is terrible so don’t move here, its awful, and you won’t like it. The traffic problem is bad enough as it is. So stay in Arizona, California, or whatever state you are still in because the grass is not greener here.

There I was at work, minding my own business and kicking ass as usual when I started to get the pangs of longing for engaging, collaboration and connecting that only LinkedIn could provide. LinkedIn has officially become more important to me than Facebook. I take my career very seriously as anyone can see from my LinkedIn profile.

Something had been bugging me though. It had to do with the way LinkedIn structured their website security / permissions around invitations and profile views. This persistent nagging turned into fierce annoyance after thinking about it for too long and finally I had enough. It was time to solve this mystery once and for all.

Here is what I was able to discover
Let’s say that you have a basic membership. There are a variety of restrictions in place that prevent you from being able to network with people outside of your work / social circles. Say you were to invite someone you don’t know. Either you will be asked to provide the users email address, or click a radio button to tell the person how you know them. This could be a colleague, friend, former co-worker or just some random girl you happen to be stalking because she is cute and you want to help her “develop her resume”.

Now I noticed that when users viewed my profile, there was a button to invite them at the bottom of their picture. Example below.

To the left you notice that this person viewed your profile while conducting his search for “henchmen.” He views your profile, but that’s it. Perhaps you are you not evil enough to his requirements, or maybe he is just too busy to send an invite.

If you click on the button to add him, it would send him an invitation. However, if you went to his profile first, and clicked connect, it would ask you to “clarify” your relationship with this person like a 14 year old clingy teenager passing notes in 3rd period. Some users don’t appreciate unsolicited invitations so theyrequire that someone knows their email address to be able to send an invitation. This security requirement was “waived” if they had viewed your profile. This was fine and dandy until I figured out that I could trick LinkedIn into thinking that anyone I wanted had viewed my profile.

Bring on the Geek Speak
This is where things get a little bit geeky. The URL that the above button linked to vs the regular connect button was different. The button’s behavior was centered around the fact that the user had viewed you and therefore knew of your existence. So if you could get someone to view your profile who had their security setting enabled to require an email address, it would make no difference in the world. Here is half of that URL string:

The part following “ed=” is some sort of variable that the link would populate to identify the individual user. This “token” was an identifier of the person that had viewed you, and the URL was the fast track to inviting them. I should note that this token is about 24 characters long and is NOT available on the users profile page. So how do you get that token? You have to look on other users pages for it. Here is how that was accomplished.

Search for Bryan Seely on LinkedIn you will find this little section to the right. There are 10 users. Now right click on the page and click “view page source”. CTRL-F to find a specific word, and look for “ed=” without quotes. Go to the bottom of the search results and you are going to find 10 results that all have this 24 character string after the ed=. Those tokens will be for the 10 people to the right in the “People Also Viewed” section.

Now if you haven’t put it together yet, don’t feel bad. Those strings can be inserted in place of the security token of the person who had previously viewed your profile.
Paste the original link from the Dr. Evil add button into notepad and then replace his token with one that you grabbed from my buddy Zuckerberg (although I have a feeling he might not return my calls due to my previous mention of Facebook not being as important anymore.)

Paste that link into a new tab, and an oddly shaped invitation page would come up with the person’s name, and the custom field to send them a message of your choosing. Click the send button and off it went.

So I now had the ability to invite whomever I wanted, but I hadn’t confirmed that the invitation was actually going to be sent out. So I proceeded to gather as many security tokens as I possibly could. As you might have guessed, I sent invitations to Bill Gates, Mark Zuckerberg, Michael Dell, Mark Cuban and even the CEO of LinkedIn. Whoops?

I am Bryan’s Complete Lack of Surprise
I was not surprised when none of them accepted my invitation to connect, until Steve Wozniak did. Then Daymond John the CEO of FUBU accepted too. The invitations were showing up in my sent items and famous people were either ignoring me or they will get to adding me when they are back from Africa fighting malaria / tuberculosis or whatever other selfish pursuits they are throwing tens of Billions of dollars at. I feel good giving $100 to charity, imagine how good you would feel giving $50 Billion, see? Selfish.

I must clarify that some of the users that I sent invitations to did not have email address validation requirements. But some of them did. This URL trick didn’t seem to care about that at all. This was a definite problem. Not only did it allow me to send invitations to anyone, it also allowed me to send messages to whomever I wanted, without having to pay for Inmail or any upgrade to my account.

After sufficient testing and the creation of a dummy account to test the receipt of the invitations, I sent an email to security@linkedin.com. Now my relationship with large website security teams thus-far has not been ideal. I spent months telling Google of a huge problem, and had to record conversations to the Secret Service and FBI to get them to do anything about it. They refused help, they refused advice, and refused to fix the problem. They shared nothing, admitted no problems, and essentially denied that the problem even existed. They shut off new business registrations for over a month, and didn’t fix a thing. It’s actually worse now than it was when I reported it. I could easily do it all over again and Google won’t stop it.

Color Me Impressed
Within a few hours of sending LinkedIn an email, an actual human responded. I was going to call the person Steven Tyler (because he is a frickin rock-star) but that is not giving proper credit where it is due. David Cintz is a Technical Program Manager with LinkedIn Security. He isn’t a low level Tier 1 analyst, or a customer service rep. This is a guy who can actually fix the problem. I don’t know what the internal escalation steps are, but LinkedIn treats problems seriously and doesn’t waste time having someone unqualified pull up an email and then try to figure out if it is serious or not. David Cintz handled everything perfectly, from start to finish. He responded to every email, with either acknowledgement or thanks, promptly, and I was treated with respect. This is the way to handle this. David and his team set the bar for what my expectations are for every company that I will ever deal with in the future.

Now keep in mind that this was Thursday and he replied numerous times on Friday, Saturday and Sunday. This guy isn’t some shift worker that works odd days of the week. This is a technical program manager in the security department who is responding in the evenings and over the weekend to make sure that they are able to solve this problem to protect their members.

Forgetting for a moment that by discovering this exploit, I probably screwed up a few people’s weekend plans, the LinkedIn Security Team had the problem entirely fixed well before start of business on Monday. They even politely asked me not to release the exploit details until they had a fix in place. I am certain that other companies would lawyer up, make threats or otherwise escalate the situation. LinkedIn handled the entire situation with grace, tact, and professionalism. They recognized that I was not the enemy and didn’t waste a single second to protect their members, and in doing so, they were able to engage and communicate with me to fix the issue much faster than if they had ignored or otherwise mishandled the situation.

The Merch of Silicon Valley
After it was all said and done, the problem was fixed quickly. I politely asked for a potential reward to include but not limited to: T-shirt or polo shirts, stickers, a LinkedIn branded Ferrari, cute female interns, or perhaps a water bottle or pen. They sent me a majority of the things on my list as a thank you. The Barbie doll riding a Hot-Wheels car inside of the water bottle was a nice touch.

Kissing A** and Dropping Names
I am a huge fan of LinkedIn. It has allowed me to now network with several heroes of mine, Kevin Mitnick and Steve Wozniak being two of the biggest. I met people who then got me the job that I have now. I was connected to a charity which allowed me to mentor young Marines and other veterans coming back to the civilian world. I have made friends, colleagues, and been able to engage others to form relationships that are transforming my life daily. After this extremely positive interaction with LinkedIn Security and seeing how well lead and managed they are at every step of the way, I can safely say that I am in good hands with AllState LinkedIn.com.

Bold Type and Bold Claims
Hell, the CEO might love LinkedIn, but I wager to say I love it more. On a percentage basis, it has changed my life far more than I ever thought possible and LinkedIn has gained an evangelist for life.

What’s next for me? I wish I knew. Stay tuned though, I am just getting warmed up. Now I really have to go prep for Miss America 2015, as hacking is not an easy thing to showcase during the talent portion. I have to do well on the talent portion as the swimsuit portion seems to give me problems.

Your friendly neighborhood ethical hacker, US Marine and comedian,
Bryan Seely
Twitter: @bryanthemapsguy
Email: bmseely@gmail.com

If you like this, please share, like or feel free to just send me large suitcases full of money.

For spelling or grammar complaints: 1-800-THIS-IS-TOO-MANY-NUMBERS
email: m_as_in_mancy@aaaaa_thats6as.com

Also, for those people who want to say this is not technically hacking, you are correct. If you can think of a verb that better describes what this was in 2 syllables or less, please feel free to let me know. Otherwise write your complaint out, and then go search Google for your purpose in life because you need to do something more constructive with your time.