Harvard's Carr Center for Human Rights Policy website (www.hks.harvard.edu/cchrp/) was hacked last week and then silently fixed by the administrator without giving Reply/Credit to the Whitehat Hacker who reported the vulnerability. The Hack incident was performed in 3 Phases as described below:
Phase 1: A Hacker , with nickname "FastFive" posted a few sql injection vulnerable Educational sites on a famous Hacking Forum last week which included the SQLi vulnerable link for the Harvard Carr Center for Human Rights Policy website, as you can see in the list in the above screenshot taken by me.
Phase 2: Almost 100's of Hackers have seen the post from "FastFive" and they got some juicy information for their next targets. One of them named, "Vansh" successfully exploit the Harvard's site and extracted the database onto his computer. He Found the username and Password from the table and tried to login on the Admin access panel location. Yes, he was logged in with password "DOG". We have confirmed the User:Password validity before posting this news and below is the screenshot posted by the Hackers. For security reasons we are not disclosing any databases or usernames, but why are we disclosing the password ? It's because, using a three character password by the administration of one of the biggest universities makes me do so. I think even a brute force tool will take half second to crack such a weak password.
Phase 3: Because Vansh is a Whitehat hacker he decided to inform the Administrator without disclosing the Hack in public before the patch. He mailed the admins and was waiting for the reply from the last 2-3 Days. But today he saw that they fixed the vulnerability in the site silently without giving credit or a simple Thank you reply to this Hacker who informed them and revoked the access to all external IP's.
So, finally this NO REPLY made him inform The Hacker News and We educate you that Never use "DOG" as your Password. Happy Hunting !
