Inj3ct0r Team are claiming to have hacked one of its rivals, ExploitHub.
Both groups share the same business model: independent hackers can submit vulnerabilities and sell them in return for credit on the site or money.
In a post on Facebook, ExploitHub confirmed that they had been attacked after accidentally leaving an install script on their server, which allowed Inj3ct0r Team to reinstall its Magento eCommerce software. This allowed the attackers to gain control of its back-end systems and interrogate the site’s database.
However, ExploitHub claims that this database “only contains information used by the web application itself, as well as product information, such as exploit name, price, and author, but does not contain any actual product data, such as exploit code.”
It currently insists that, although leaving the install script was an oversight on its part, its actual product data is stored elsewhere, and that, so far, it has not seen any unauthorised access or any of its exploit code compromised or stolen.
So was it hacked, or wasn’t it?
It’s a bit of both, really.
Inj3ct0r Team did manage to get away with information in the database containing a list of exploits and how much they cost, but it’s simply that: a list. It’s promising to release the actual exploits if it gets 30,000 likes on its Facebook page by December 16.
Its current like count sits at about 15,500, so I’m guessing that this is simply a means to rack up a lot of likes and then use it as a convenient excuse to not release the so-called exploits it stole.
In the meantime, ExploitHub is having its own issues. Its website is currently down, and while it hasn’t provided a reason why, I wouldn’t be surprised if another group stepped up and claimed responsibility.
Perhaps most concerning is that both groups are aiming to profit from hiding exploits from the public eye. You can’t blame hackers for wanting to get paid for their efforts, but at the same time, the act of hiding security exploits makes the internet more dangerous as a whole.
As much as I hate to admit it, in order to get exploits into the public eye, these sorts of attacks are a necessary evil, and ones that lawful entities can’t be seen doing. Here’s a role for Anonymous to play — hackers hacking hackers — but that all depends on if someone can actually do it right.