The Black Hat security conference attracts the creme de la creme of the security industry. This year the organizers even offered a paid live stream for those unable to make the trip to Vegas. Called Black Hat Uplink, the service carried a $395 price tag. But as security expert Michael Coates found out, the price could be waived entirely, thanks to “a combination of logic flaws and misconfigured systems which provided access to a testing login page that could be used with user credentials that were not fully "registered" (e.g. no payment received). “
Coates, who oversees web security at Mozilla, wrote on his blog that he was unable to attend this year's event and so decided to closely monitor it online. “In this process I noticed the new "Black Hat Uplink" service that would allow remote individuals access to streaming Black Hat talks from two select tracks,” he wrote.
“I identified a series of flaws that would enable the creation of an account with only providing an email address (e.g. no name, address, phone etc) and I was never asked to enter any credit card data. Odd I thought, perhaps you enter the credit card info upon your first login.” Upon completing the registration, he was faced with a slight problem: he didn't have a registration email do direct him to the login page.
“A few select Google searches and I ended up on a relatively vanilla looking login page. I have a username and a key, let's give it a shot. To my surprise the login was accepted and I was now sitting in front of the live Black Hat video stream.”
He wasted little time in contacting the event's organizers, holding off the public disclosure until they had fixed the flaw. He also revealed that Black Hat used a third-party solution for the video feed. Can't see them using the same vendor for the next event, though.