Hacker Highlight: David Creeks
I’m Rowan, a tech lead at Dunelm, writing stories about the intersection of Engineering, Automation and Psychology.
I’m always fascinated by the post mortem breakdowns released by bug bounty hunters, compromised companies and hackers all across the ethical spectrum — the clever thinking and unfortunate alignment of the stars to allow people to weasel their way into systems has me enraptured — and inspired to tighten up the gaps in my own systems!
So today I want to put some attention on David Creeks, a nefarious hacker from California who managed to compromise the systems of a famous retailer and silently extract millions of customer’s personal info to sell on the black market, using a simple npm module.
If you don’t know what an npm module is, it’s a chunk of code that has been uploaded onto a huge digital library of useful tools (packages) on a website called npm or Node Package Manager, which other developers can then use in their own projects. It’s an extremely useful repository of information and functionality that every major company takes advantage of to vastly speed up development time, there’s simply no point reinventing the wheel if there’s a Lamborghini ready to go for free.
Packages can also make use of other packages themselves, which are called dependencies, so people can build on top of existing works and expand or combine them to create even more useful and powerful software. Dunelm, Google, Facebook and others even upload their own packages, built on top of the engineers who came before us, to this open source collaborative platform!
This is where David had a sneaky idea, what if he created his own package with some nefarious behaviour and people downloaded it into their codebases for him! Finding your way into a system can take time and a lot of digging, but if he could get in already being on the inside then no one would even be looking for him!
He created the react-redirect package which would actually provide a useful and innocent enough tool to help developers, redirecting the user to a new URL and keep a track of where they had been on the website, a pretty handy bit of code. This package slowly gained pretty widespread adoption and nearly 14k weekly downloads!
After a few months he added a small dependency package which looked right at home as part of the code base — url-decode . No one digs through dependency packages by hand, there’s typically simply way too many and the whole system is built on trust anyway. This is what he was counting on. This little package actually let him run code on any page that used react-redirect as it was included in the parent package and that meant pretty much anywhere on a website that was using it.
The package had been picked up and included in the code base of a staggering amount of projects at this point, but the jackpot was retail websites where customers where putting in information like name, address and bank card details. As companies started automatically downloading the latest version of his package, it was trivial for him to then start scraping the content of any input marked <input type="password"/> and forward it to his own private file storage server. He could now log into tens if not hundreds of thousands of online accounts, or simply sell the data on a digital black market which is what he chose to do.
Unfortunately for him, when he went to sell this cache of valuable data on the black market it set off an alarm at the compromised retailer’s IT department. They kept an eye out for leaks exactly like this and when a huge data dump was on offer and the sample data that had been provided as proof of credibility contained data that looked a lot like theirs came around they got suspicious. Fast.
Monitoring their network didn’t help, as the code didn’t do anything on their own servers. Eventually however an engineer spotted the rogue request leaving their website with valuable data in tow and heading straight for David’s file server. When authorities were alerted and hacked into the file server themselves, they found his drivers license among the files stored on there — he had been using his own personal file storage for his crimes.
That was it; he was caught, the npm took down the malicious code and the data was recovered before it was ever actually sold.
Except none of this article is real. David Creek doesn’t exist. That first photo I simply generated in 2 minutes on https://www.unrealperson.com/ and the drivers license was AI generated as part of 404 Media’s investigation into fake IDs. There was no npm package.
In the age of remote working and the scale of digital collaboration, we are relying more and more on photo and video evidence that people are who they say they are and it’s getting harder and harder to tell. Realistic voice and video can be generated and entirely plausible ID documents that would pass superficial checks can be created en masse.
We worry about phishing attempts via email coming from convincing sources, but are we prepared for them to include a photo your ‘boss’ took on the vacation you know she’s on? To get a phone call from the chap in finance you speak to every day and have it sound just like him?
AI is transforming the world and the IT department needs to be ready.
Like my writing? Check out Mission Impossible: QA and Fast as Light: The Dunelm Website!
