Came across the following job posting at Bandcamp in the afternoon of Friday, January 11, 2019.
Senior Fraud/Risk Engineer
Bandcamp seeks an experienced fraud/risk engineer keen to track, restrain, and outwit an ever-mutating assortment of platform abusers. You’ll be the primary developer and expert authority on potential risks, playing a key role in growing a nascent team into a dedicated, effective, well-run operation...
To apply, gather the crumbs (starting with your cookies).
1. Get URL from cookies in browser console
Open browser console and type document.cookie.
This returns the cookies, include this one:
fraud_job_url=Over+here%3A+bandcamp.com%2Fectotherm%2Fsnakeoil_requests%3Fsnakeoil_param%3Dfrog;Then, decode the cookie value (like a querystring):
Over here: bandcamp.com/ectotherm/snakeoil_requests?snakeoil_param=frog2. View URL provided
View URL provided in the cookie... Simple enough (see attached image).
3. Review request log
What is the "SnakeOil" user agent? Weird.
Also, I scanned Whois records for each IP address (using Python).
import whois
adds = [
"142.105.231.139",
"26.254.222.156",
"67.251.67.22",
"24.6.92.142",
"76.254.222.156",
"209.222.7.238",
"66.249.79.5",
"76.111.23.8",
"46.254.222.156", # IP seems suspicious; also, Snake-Oil user-agent?
"108.20.122.18",
"96.254.222.156",
]
for a in adds:
print("------------------------------------------")
print(a)
try:
print(whois.whois(a))
except Exception as e:
print(e)I found one IP address with a curious record.
46.254.222.156
{
"domain_name": "ITKM.RU",
"registrar": "RU-CENTER-RU",
"creation_date": "2002-07-17 20:00:00",
"expiration_date": "2019-07-18 21:00:00",
"name_servers": [
"ns1.itkm.su.",
"ns2.itkm.su."
],
"status": "REGISTERED, DELEGATED, VERIFIED",
"emails": null,
"org": "Flex Ltd."
}4. Fan URL Review
I investigated the fan URL requested by the curious IP address.
http://bandcamp.com/gilamonsterFan name is "&snakeoil_user=gilamonster". Doubt many artists would prefer to encode their name in a querystring.
Also, there were only three songs in the artist repository. Each contained code (Javascript) in flat images. I transcribed the code from the images and ran it in browser; within the code, function Launder was a Bandcamp specific that made a request to Bandcamp itself for validation of the code.
A successful validation alerted me of next stop:
https://bandcamp.com/ectotherm/snakeoil_crumbs5. SnakeOil Crumbs
Another site with minimal preformatted text (see attached).
The content was mostly some type of HTTPS header for a POST request with some of the values obfuscated. I reproduce the request (using Python) and the replaced the blank values with those that had been provided as I wandered through the other steps.
import requests
url = 'https://bandcamp.com/ectotherm/get_the_snakeoil_password'
headers = {
'User-Agent': 'SnakeOil/5.0 (USER 9.0; Agent 6.0; String/5.0) Gecko/321',
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "45",
"Host": "bandcamp.com",
}
d = {"snakeoil_param":"frog", "snakeoil_user":"gilamonster"}
response = requests.post(url, headers=headers, data=d)
print(response.text)A successful request returned the following text:
gilamonster uses the dumbest password you can think of - log in with it at bandcamp.com/ectotherm/constrict_loginGuess I'm ready to login.
6. Mock Login Page
Went to bandcamp.com/ectotherm/constrict_login and tried gilamonster as user and password as the password. What else could be the "dumbest" password I could think of.
A successful login returned me to the original job posting, only now with the email h***********[email protected] present.
7. Document my steps and email my info.
Great challenge. Thanks!
Screenshot of "gilamonster" profile page
Notice that the album covers for the three "songs" are code.