TravisVS Under 
Tags: 
Geez, a guy takes a few days off (the great blogger’s sin) and all hell breaks loose. The crew over at Is-Hacked.com is claiming they hacked into Flippa’s admin panel late last week. According to the blog post at Is-Hacked.com, they were running some kind of “routine task” at Flippa when they discovered a vulnerability.
According to the post, this was not a malicious hack. They were not trying to hack into their system nor were they trying to do any harm. In fact, according to them they notified Flippa’s top dogs within hours of discovering the breech. Flippa responded quickly and had the “massive vulnerability” fixed immediately.
When I first read about this I didn’t think much of it. For starters, I’ve never heard of Is-Hacked before and only ran across this story via a Google Alert that has been sitting in my inbox. For all I know, this could be a bogus claim and much to do about nothing. Furthermore, there hasn’t been a word from Flippa about this, which would lead one to believe there isn’t anything to the claim.
Havid said that, Is-Hacked has a screenshot of Flippa’s admin panel published on their post. Unless the screenshot is a fake, you can clearly see they had full access to Flippa’s admin panel. They are promising to post a video as further evidence of the breach. The only reason they haven’t posted the video yet is because they are being threatened with legal action from Flippa, according to the post.
Is-Hacked is recommending any users of Flippa to change passwords for SitePoint, Flippa itself, PayPal, Escrow.com, Google Analytics, and any other account Flippa asks their users to associate with them. The reason for their recommendation is because they claim this was a “massive vulnerability” and getting access to Flippa’s private data was too easy. If they could figure it out, any hacker could – and most probably aren’t “friendly hackers” – so says Is-Hacked.
So was the hack real and if you believe it was, should you worry that your personal information may have been compromised? Good questions. These are the same questions I’ve been asking myself.
If there was a breech of any kind, you would think Flippa would alert users directly or at least post something on their blog. I didn’t get any message from Flippa and there hasn’t been anything on their blog about it so who knows what’s going on.
It may be a pain to change passwords for all these accounts but I suppose it’s better to be safe than sorry. I just wish Flippa would have said something either way. If any hack occurred, they owe it to their users to notify them of it. If it didn’t happen or if the breech was harmless, they should have said something to put this story to rest. Their total silence just makes things worse.
{ 13 comments… read them below or add one }
Guys, we’ve now been able to post about this, read it here:
http://flippa.com/blog/news/flippa-security-vulnerability-reported-and-fixed/
No financial details are stored on Flippa and admins have no access to passwords so these have not been compromised.
Dave:
Thanks for stopping by and updating us on this issue. I appreciate it. Good to hear nothing serious (i.e. financial data and passwords) were compromised.
Travis
Follow me on Twitter: FlippinLowdown
Justin, the only routine task I do there is get my daily fix of laughs.
Clinton, you’re so mean to those Flippa folks…lol.
Travis
Follow me on Twitter: FlippinLowdown
Travis, I get my laughs from the listings, not Flippa. So no meanness to Flippa intended.
However, I’ve just done a blog post about something very disturbing. It seems Flippa admins have access to log in to users’ accounts and read their private messages.
Good post – and good catch. I didn’t notice that when I saw the screenshot. This story just keeps getting better and better. Flippa has to come out now to put the fires out. They look really silly deleting a blog post that was even retweeted a few times.
Travis
Follow me on Twitter: FlippinLowdown
If admins had access to your PMs, the natural conclusion is that hackers have had access too.
So if you sent any Flippa uer any access via PM – access to your GA account, your server stats, FTP login, domain control or anything else – consider it compromised.
Flippa likely deleted their blog post because they jumped the gun and the site isn’t completely secure yet.
That’s fine – so they jumped the gun but they shouldn’t remain silent at this point. A simple blog post stating they “posted something too soon,” followed by details of the hack is what they should do at this point. I’m sure they’ll eventually say something but remaining silent at this point makes no sense to me, but what do I know. I’m just a blogger.
Travis
Follow me on Twitter: FlippinLowdown
Admins do/did have access to users PM’s, disputes and after sales dialogue between buyer/seller.
Follow me on Twitter: ishacked
Is-Hacked.com blogger here.
Just to clarify a few points, flippa did write a blog post about this but then quickly removed it, not sure why. (http://www.burn-blue.com/image/view/UqsNxHP2/flippa-blog.png)
Video not released yet to give Flippa ample time to fix the vulnerability as set out in opening email to them. It will of course remove any doubts of a photoshoped admincp.
The only “data” we where given easy access too was a .csv of all users usernames/email and obviosly users telephone numbers, minimum bid price, or whatever data you type in.
Though more experienced/blackhat hackers than ourselves could have looked further into the system, so recommendation to change password is more of a precaution than a nessesatity.
We emailed them within hours, and even tweeted an admin. A response was immediate, a detailed email the following day notifying us it was rectified promptly.
As least us developers who sell our going concerns, can sleep better knowing flippa will be assessing the security after this breech.
Since your concerns are mostly about users data, here’s an exclusive of what admin’s can see of their users data. This is a screenshot of site admin fotini:
http://www.burn-blue.com/image/view/c6W32JOD/edit-user-top2.jpg
what’s (bellow) screenshot is: Admin Notes, Suspend User, Change Username and Disputes. It usually shows telephone numbers, but fotini has not added any.
Hello again Justin.
Thanks for detailed post TravisVS.
Follow me on Twitter: ishacked
Adam:
Thanks for stopping by and for providing additional details and screenshots. What I don’t understand is why Flippa would blog about it and then delete it. It just doesn’t make sense. As a marketplace, you would think that transparency would be of utmost importance.
@Keith: Thanks for the Google cache link! Just to make sure we have a permanent record of the Flippa blog post, I took a screenshot of the cache page you provided. Here is the link to it:
http://www.flipwebsites.com/images/flippa-hacked-blog-post.jpg
Thanks for helping out and getting the cached page to me!
@Justin: If you read the Flippa blog post that we now have a permanent record of, it sounds like the “routine task” was just that – a routine task (signing in as a different user at Flippa). It’s good to know that not much was compromised and that Flippa was quick to resolve the issue.
Travis
Follow me on Twitter: FlippinLowdown
Scoop – Google cache to the rescue:
http://webcache.googleusercontent.com/search?q=cache:_aT1dZW1QskJ:flippa.com/blog/news/flippa-security-vulnerability-reported-and-fixed/+http://flippa.com/blog/news/flippa-security-vulnerability-reported-and-fixed/&cd=1&hl=en&ct=clnk&client=safari
It does make you wonder what kind of ‘routine tasks’ people perform on Flippa
Follow me on Twitter: flipfilter