Warning about textem.net
-
personally, i'll continue to use it, because its old and if a hacker looking for something of vaule came along, they would find nadda. but i personally recommend you do listen to maple on this one, the devs of this site never respond to my emails and haven't been active online since 2019 on facebook. i think they abandoned textem.net and just didn't get around to shutting it down or were simply too lazy too.
-
i'll try to find names and such to message them personally
-
but given the fact we have google reading your sms already and stuff i myself am not that afraid of this. data breaches are everywhere now adays, but still i will try to find names, emails ect. and message them.
-
i forgot to mention i hacked teh admin account accidentally cus of bad authentication practices. this site is fucked
-
eh, i already know of alternative sites
-
do you wanna do "security tests" on em?
-
i'll give you links in the resource center gc
-
alright, i sent maple a link, the resource center will get a list of safer alternatives out shortly
-
M maple referenced this topic on
-
this is a public vulnerability disclosure, cus i cant reach the developers of textem.net and i noticed bdns users (even staff members) use this site often.
tl;dr: textem has multiple vulnerabilities, potentially compromising all your texts, password, email address. i suggest deleting your account asap and using a different platform.
textem is an old texting site from 2006 and still seemingly popular. here are three vulnerabilities ive found, the exact details are withheld to avoid malicious attacks on users.
1. broken access control (+ config file misconfiguration)
while this is technically a category of vulnerability, i wasnt able to pinpoint the exact vuln name. however because of a misconfiguration in a certain file and lack of adequate access controls, any user's texts are revealed to the public. as a user, you cannot prevent this or retroactively remove your texts. this is extremely easy to take advantage of.2. improperly sanitized input.
this one is far more dangerous, however slightly more technical (involving writing exploit code) as it allows an attacker to essentially control any user's browser, without warning or alert. this means steal your passwords, read your texts, show you fake login websites for your email, bdns, etc. and you wouldnt even know it.3. lack of rate limiting, poor password standards, and weak admin passwords
im editing this one in cus i forgot about it. but essentally any user's account is typically extremely easy to bruteforce. in fact, while testing, i could hack the admin account in less than 10 minutes.
the presence of these easily exploitable vulnerabilities means theres likely even more issues, potentially even more dangerous. if you are a user, please follow these steps:
- if you rely on textem to communicate, immediately switch to a different website.
- change passwords (ideally to something unique and even forgettable, make sure you never reused it anywhere else - after all, youll be leaving the website anyway)
- if you discussed private matters in texts (e.g sharing passwords), assume its public and act accordingly.
- delete your account if possible.
again, i havent been able to contact the developers, but if they ever fix this, ill update this post :3
@maple Warning: only read if ur a developer
by the way anybody calling themself a hacker would know what "improperly sanitized" means: they're rendering something (probably texts in this case) as HTML and not plaintext, which means somebody could literally just SEND SOMEBODY CODE which would run on their machine.
-
i forgot to mention i hacked teh admin account accidentally cus of bad authentication practices. this site is fucked
