Plaintext Liker Social Network - needs help prioritizing security
by AngryWeirdo - May 02, 2021 at 07:02 PM
#1
Quote:https://www.liker.com/liker.png







We are sorry, but Liker is done beta testing and is temporarily down for a BIG upgrade.
Liker 2.0 is coming soon(early May)and it will blow your socks off! We’ll send all of our users an email when we’re back in style...







Idea: dehash a 100 line file and post your progress in a link below. This is time-sensitive but due to the "bcrypt" difficulty, it's impossible to dehash 364k user hashes

=> I'm providing my progress in the liker.potfile for free to get started. Made up example :    $2a$08$kdflblahblahblahblahblah:trustno1







A social network geared toward leftie/democrats was hacked and the leak posted here: https://raidforums.com/Thread-Liker-Data...-Exclusive










  •  If they're opening in the next week or so, I think it'd be great if we could increase awareness that their passwords are REALLY bad
  • Let's try to dehash the passwords to encourage social networks to take password difficulty more seriously and also consider prioritizing security more in general

https://www.mediafire.com/file/gn9qm6a6j...ar.gz/file or https://raidforums.com/attachment.php?aid=1702


  • I've broken (only) the hashes into 100 line increments under /splitt/hash.txt*
  • rockyou.txt can be found here: rockyou.txt wordlist - GitHub https://github.com › releases › download › data › rockyou
  • Each 100 line file takes about 5 days using my AMD GPU using the command:
    % sudo hashcat -w 3 -m 3200 -a 0 -O --potfile-path ~/.hashcat/liker.potfile --session LIKER -D 1,2 hash.txt.azz rockyou.txt



If you have access to the "users.csv" in the Liker thread above, there is also a perl "merge.pl" to merge the potfile with the users.csv file (see the other raidforums thread)







See attached.
Reply
#2
Latest potfile is here: https://www.mediafire.com/folder/2g7trmw89ob5p/latest

Hopefully others can drop their potfiles from hashcat into the a readable location and I'll keep merging.
Reply
#3
If they are going through the effort of making an entirely new website, why wouldn't they have users sign up again or reset passwords?
Reply
#4
(May 02, 2021 at 09:18 PM)verking Wrote: If they are going through the effort of making an entirely new website, why wouldn't they have users sign up again or reset passwords?
Never underestimate developer laziness.

I see two options:
1) they send everybody a password reset link (issue: such links often expire in 24hrs and if the users don't expect them, they're likely to go unheeded)
2) they wait until the person logs in (then offers them a reset link).
=> This is what happened with UtahExchange hack, where users did nothing, or reset it back to the same password anyway

Option #2 is better because users can still log in (no obstacles) and passwords still get reset. No obstacles => Eyeball metrics rise faster => Investors happy
Option #1 is 'safer' if you assume that the passwords are exposed as close-to-plain-text => People may give up if link password reset expires too quickly (users are also lazy)

Developers know that the passwords were hard to break so they'll likely go with Option #2.
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
DATABASE OF THE SOCIAL SECURITY OF PERU sombraman1919 9 2,510 April 26, 2021 at 11:08 AM
Last Post: Scrub
SQL qa.liker.mx All3in 2 1,309 March 10, 2021 at 06:21 PM
Last Post: verking
CSV Liker.com 116222 (mails, names, etc) slut 11 2,606 March 08, 2021 at 07:17 AM
Last Post: IPegFembois

 Users browsing this thread: 3 Guest(s)