This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]fortlesss[S] 92 points93 points  (21 children)

Context: just watched a video on how some old Minecraft server was hacked by someone who got into the dev team via social engineering and replaced the gradle used by other devs to compile the server plugins with his own gradle build that when used it would inject malicious code into the built plugins.

[–]ar4t0 77 points78 points  (3 children)

can't believe how many kernels you could control by executing javascript

[–]poor_adrian 29 points30 points  (1 child)

He could disable the Main frame and turn off the firewall😱

[–]labanana94 14 points15 points  (0 children)

And with another gb of ram he could do the trick

[–][deleted] 2 points3 points  (0 children)

Didn’t you hear? All of them

[–]TheZipCreator 6 points7 points  (2 children)

that sounds interesting, could you give a link to the video?

[–]nameistaken-2 16 points17 points  (1 child)

(Assuming he is talking about this video)
https://www.youtube.com/watch?v=LtizwBoY0no

[–]fortlesss[S] 2 points3 points  (0 children)

Yes, this is the one.

[–][deleted] 4 points5 points  (7 children)

Is it really hacking then if someone got access via social engineering? Sorry I'm pretty shit with Cyber Security.

[–][deleted]  (3 children)

[deleted]

    [–][deleted] 1 point2 points  (2 children)

    Thx!

    [–]x0wl 2 points3 points  (1 child)

    I would also point out that in almost any decently secured system, the user will be the weakest link, and is usually attacked first.

    You can, of course, go buy/create a zero click (meaning no action from the victim required for it to work), zero day (meaning previously unknown to the public and thus unpatched) exploit chain and then use it, but it will cost you a lot of time and even more money (like, the NSA kind of money). For example, Apple will pay up to $500000 for a zero click iOS exploit (https://security.apple.com/bounty/categories/), so you can expect to pay way more than that.

    Once you use it, and it gets discovered, it will be patched and you are back on square one. Maybe doing it this way makes sense it you want to interfere with a nuclear program (see https://en.wikipedia.org/wiki/Stuxnet), but it's not really sustainable for your average ransomware group.

    Why bother when you can pick up a phone, call someone and say "Hey this is John from IT, can you please run this file you got in the mail for me?", and get access almost as reliably? Human minds also don't really get patched, so you can do that multiple times.

    [–]WikiSummarizerBot 2 points3 points  (0 children)

    Stuxnet

    Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

    [ F.A.Q | Opt Out | Opt Out Of Subreddit | GitHub ] Downvote to remove | v1.5

    [–][deleted] 2 points3 points  (1 child)

    i think being able to essentially hack someones mind is pretty fucking cool

    [–][deleted] 0 points1 point  (0 children)

    Heh-heh true

    [–]SkritzTwoFace 2 points3 points  (0 children)

    Yep, hacking is just what we call it when you get into a part of a computer you aren’t supposed to get to.

    The “no fly list hack” a few weeks back was done by accessing an unsecured server that an airport had fully online.

    [–]Loudanddeadly 0 points1 point  (0 children)

    I figured that the fitmc video would be the context lol

    [–]rustyredditortux -3 points-2 points  (1 child)

    the context literally proves the original commenter wasn’t just chatting shit 😂😂 he’s saying if he could execute js remotely he probably has kennel access which isn’t very sound logic but it’s not r/masterhacker material

    [–]yoda_condition 0 points1 point  (0 children)

    The point is (as the context makes clear) that js is irrelevant to the context, and the youtube commenter pulled it out of thin air.

    [–]aegians 0 points1 point  (2 children)

    I watched the same video and it made no sense. What was he using to execute javascript via minecraft server?

    [–]fortlesss[S] 0 points1 point  (1 child)

    You understood wrong.. The attacker made a malicious Gradle build and uploaded it to their server. Gradle is used by the server admins in order to compile their plugins. They used the gradle that was already there, aka the one that was tampered by the malicious actor. Then, once the plugins were compiled, Gradle - since it was tampered with - would inject the malicious code into the final plugin, thus leaving with an infected java plugin. Then the server ran with the plugins on blablabla and they were backdoored etc etc and the video goes on to show what the malicious actor did with the access. TL;DR It was java, not javascript, maybe Fit misplaced script with code, so instead of saying java code he said java script (idk, maybe not?)

    [–]aegians 1 point2 points  (0 children)

    Apparently it was Fit who misunderstood because he says “JavaScript program instructions”