Reply to post: Re: Whoever did what

FBI spams thousands with fake infosec advice after 'software misconfiguration'

Doctor Syntax Silver badge

Re: Whoever did what

Krebs's article explains. It sounds weird. Weird as in "what were they on?". The sign-up process resulted in a one-time code emailed to the new user's email address. So far so 2FA. But the email seems to have been generated client-side and sent to the server with a POST request which included as parameters not just the email address, but also the subject and body so by feeding POST requests to the server the server would send out whatever emails were requested.

No weak passwords required: no passwords required at all. Apparently IE was required, however. I suppose it stopped those wicked Linux users getting access.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon