A combination of logic flaws and system misconfigurationA Web application security researcher has uncovered several security issues in the Black Hat Uplink portal. The bugs allowed users to view the real-time video streams from the security conference without paying the access fee.
Black Hat is a technical security conference, which brings together thousands of industry researchers, professionals and journalists every year in Las Vegas. Black Hat and its sister conference DEF CON, are widely viewed as the top security events and hacker gatherings in the world.
At this Black Hat USA edition, the organizers are providing a portal, where non-participants can view the presentations and keynotes in real time over the Internet. Dubbed the Black Hat Uplink, the system gives paying users access to two separate video streams, as well as post-conference material.
"With Black Hat Uplink, you can experience essential content that shapes the security industry for the coming year - for only $395," the organizers claim. However, as Michael Coates, a Mozilla Web security expert discovered, that wasn't necessarily true.
While in the process of signing up to watch the event, the researcher encountered some strange quirks in the system, which drove him to investigate further. After poking around for a while he managed to register a username without having to provide any credit card information. He then uncovered a special page that allowed him to log in successfully and watch the streams without paying.
"Clearly my non-standard path through the registration app had identified a few key security flaws in their design," Coates writes on his blog. "Now, to be fair, Black Hat didn't operate this video service themselves. They used a third party for the video application. But its still a bit ironic that the largest hacking conference in the world [has] this security hole in their video streaming service," he adds.
The researcher managed to get in contact with the company in charge of maintaining the service and the issues which he describes as “a combination of logic flaws and misconfigured systems” were addressed in a matter of hours.
You can follow the editor on Twitter @lconstantin