Hacker takes over Honi Soit Website
The editors of Honi Soit have been locked out of the website by an anonymous USYD student.
An unauthorised article has been published on the website of USYD student paper Honi Soit, with its author claiming to have found “major vulnerabilities” in Honi Soit’s website. Titled "PDA - Dear Honi", the 149 word message holds no clear malicious motives, beyond being a 3rd year Electrical Engineering and Comp Sci Student.
The post also makes reference to a “cyber attack” during the Sydney Computing Society’s recent “bot battle” event. It is unknown if the same individual is responsible for that incident.The hacker, going by the name "flopper", claims to have "no malicious intentions", stating that the exploit was "just something stumbled across". They also stated that "it would be nice if Honi Soit cooperated, for their own sake".
Noise has confirmed that the attack was unrelated to the current “Unauthorised Stalls Day” being run today in protest of the controversial new Campus Access Policy.
Initial attempts to remove the post were foiled by the author, who stated that they will keep re-uploading, and asked Honi not to test them. Further attempts to remove the article failed with the hacker naming themselves hackerman123 and placing admins on a “1 day probation”, and restricting their access to the site. The most recent update includes a shoutout to us here at Noise after we reached out to them for comment.
The Noise team understands that the vulnerability in question is related to a backend script with incorrect permissions, enabling the attacker to gain access to the Wordpress admin panel of the site. It appears unrelated to the XSS vulnerability in Wordpress earlier this year. The Honi team confirmed to Noise that the hacker did not engage in "responsible disclosure", where a period of notice is given privately after an exploit is found.
Angus, one of the editors of Honi Soit, has confirmed to Noise that “After a breach of the website, the Honi Soit editors have been locked out for at least the next day”, and that they “are working with the SRC to rectify the issue and regain control” of the site. “Beyond the post visible on the home page, there have been no changes to other articles, and the hacker responsible said he has no intention to take such action.” Notably, articles scheduled for today went up as planned, despite the Honi team being locked out of the site. The Honi team also confirmed to Noise that the hacker did not engage in "responsible disclosure", where a period of notice is given privately after an exploit is found.
With the current state of internet security in mind, make sure to update your passwords, use CAPTCHAs on your websites, and be kind to your local CompSci student!
More to come.