I Saved 25,000+ People's Emails From Exposure

You wouldn't believe who the culprit was

During my time on Discord speaking with Louis Rossmann and arranging the COVID-19 shot questions document, I was approached by another on Discord who asked to remain anonymous.

They said they had found a vulnerability with a major podcaster’s website, and having seen how I championed and drew attention to issues, wanted me to try to fix the issue.

They said they tried to get in touch with the website owner, but no fixes had been issued, and email addresses were still leaking. As proof, they gave me some code to run on the website. The issue was so bad, so flawed, my first reaction was laughter.

Open Door Policy

Tragic, but I couldn’t call this “hacking”. I pressed Ctrl + C (copy), I went to the website, I pressed F12, then I pressed Ctrl + V (paste).

As someone who understands programming, I could confidently say the code I was given wasn’t a hack. It was JavaScript that parsed already public text. The security so bad, no hack was needed.

It is kinda like saying you needed a tour guide to show you around a bank because so many vault doors were open you’d get lost. Over here, we have this guy’s email, over there we have this lady’s email.

Emails, Thousands Of Them

I watched as each refresh brought new emails, horrified. I almost signed up to this site once. The vulnerability discloser said he had been running an automated scraper for months and picked up in the region of over 24,000 emails. As proof, he sent me a copy.

On the webpage alone I was already looking at easily a hundred. Easily over 25k, I thought to myself.

I had to do something. This was before I joined Substack. My only options — due to censorship — were Gab, Brighteon or direct messages. If you’ve ever been to my Brighteon channel due to the Steve Kirsch coverage on my EMA leak documents coverage video, you may have noticed a handful of weird videos…

Enter Timcast

Yes, the favourite podcaster of YouTube, had an incredibly insecure website. I tried to contact Tim Pool — the owner of Timcast — directly, first through the website, then through Gab. No response.

Gab posts drew a whopping… 2 likes. Information Security “researchers” did not give a toss. Law enforcement didn’t care. It was time to wade in with videos. I dropped the first video.

Underdog Goes Ham

Why on earth is the video so… quirky, you might be wondering? I’ll let you in on a secret. Video production — for one person trying to keep up with a flurry of new research materials — takes a long time.

The EMA leak video, which received praise from Kirsch and moaning complaints about background music from commentators overlooking the seriousness of the issue, even at 15 minutes long and ‘to the point’, took two weeks to produce.

Two weeks non-stop, replete with crashes, rendering errors, copyright and legal uncertainities and more. The 40 page COVID-19 questions document took one week non-stop for contrast. The EMA leak video script was barely 2 pages long.

Such a long time per video in a rapidly developing situation where time was of the essence was unacceptable. So, I admit, in the interest of time, I cut corners and focused on rapid, punchy, even humourous videos mocking this embarrassing clown circus of a security farce. Instead of 2 weeks, these videos took roughly 2 days.

I was hoping the unusual visual style would get people’s attention.

I was wrong.

Doomed To Obscurity

Like the EMA leak video, the videos were doomed to obscurity. The highest number of views — even post-Kirsch publication — was 153. The idea one of the biggest podcasters on YouTube had a huge security leak apparently wasn’t interesting to anybody.

I created several videos documenting frustrations, tongue-in-cheek humour parodying the classic overhammed Timcast style, and my attempts to contact people.

In chronological order:

This video shows — with appropriate safeguards — that the exposed public information was indeed legitimate, and was so easy, the recording was done in a single take. It covered how an Information Security “researcher” literally ignored two consecutive emails despite proffering himself as a suitable source for disclosures of information leaks publicly.

Shows Timcast.com’s hamfisted attempt to cover up the issue by, uh, deleting the data in the log where the data was exposed, but not actually making the log private, meaning it’d ultimately fill back up, again.

This video then covers what, if any, the privacy policy was of Timcast.com. only to find the privacy policy section incomplete and non-functional (you’re supposed to be able to click and expand the section but it is just plain text that caused text selection instead).

I then re-demonstrate that the leak is still not fixed. And it turns out it was worse: you could potentially hijack other people’s paid-for registrations, because the log dumped the registration URL… and allowed you to change the email.

It also shows proof I contacted Timcast (again) to warn of the issue, using a single email of a prior guest on Timcast to demonstrate proof of the leak.

This video expresses the frustration in drawing attention to the major issues with the website. I return to show the leaked emails are back, as well as showing failure to notify of privacy breaches is illegal, and make a hamfisted attempt at a parody song.

Even now, Timcast is technically in breach of the law because he failed to notify his email subscribers their emails had been breached.

This video details all my efforts to raise awareness, and ironically the leak showed there were consequences for failing to secure the website, as hundreds of subscription cancellations were occurring. It was difficult to attribute it to my own work, as others were also trying to raise awareness in concert on the unofficial Timcast subscribers’ Discord.

I Tried To Notify The Exposed Subscribers Directly, And Failed

If the videos and trying to notify Timcast.com didn’t work, surely notifying the subscribers using the list of known emails could work? After all, “all” I have to do is send them one email each saying their contact details were exposed, right?

Wrong. Email service providers have gotten very strict on sending out emails these days, because as far as they’re concerned, everything you’re going to do or about to do constitutes ‘spam’.

Have more than 5 emails in an email? Spam. Try to send more than one email within an hour on a new account? Spam. Try to import a large number of email addresses? Spam. Try to send one email to one person? ‘F**k you’, says the email service provider, ‘everything you’re doing looks fishy’: spam. Everything I tried was failure.

The only way to send bulk emails out would be to pay an enterprise emailing system a wad of cash (one was thousands of dollars). On the weight of good I seriously considered it, and was about to tank the cost. Making sure it was legal and above board, I read through their Terms of Service. I required the email owner’s permission before I could legally use the enterprise service to email them. Something I definitely did not have.

I Turned To The Media

Up to this point I had been trying to engage in a process called ‘responsible disclosure’. I try to notify the first party of their data breach, they’re supposed to say ‘thank you for notifying us, we’ll patch this straight away’, and then an after-action report is published to let their userbase know what has happened.

I hadn’t gone to the media up to this point because I wasn’t looking to throw Timcast under the bus. What I was naively hoping for was I’d say ‘look out, your data files are exposed’ and he fixes it and everything is gravy.

Instead I ran out of options and had to turn to media. I intentionally avoided any sensationalist media outlets, for fear they’d turn it into a political attack.

The Register Journalist Saves The Day

The Register’s logo. Credit: The Register. Duh.

I picked The Register, a UK based, tech-focused media outlet who have a history of reporting on information leaks, usually with tongue-in-cheek humour. They’re often better versed in tech security issues and although they have a left-leaning bias, information security trumped political ideologue, and they took such issues seriously.

It turned out, the journalist I spoke to knew Tim Pool, and said he had a means to contact him directly. What a stroke of luck! He said he’d report the vulnerability, and even more honourably, made no mention of turning it into an article.

I waited a few days but found the vulnerability was still there. I chased The Register journalist, and he said he’d follow up. Shortly afterwards, Timcast.com finally fixed the data leak, although they did so quietly, and in a manner I’d call dishonourable because they failed to notify their users of such a data breach.

How The Code Worked And Why The Site Was Vulnerable

Now the vulnerability has been responsibly patched, I can now disclose how the code works, and why it works.

According to the person who had disclosed it to me, Timcast.com uses WordPress, and on their WordPress site, they had not disabled the e-Member’s plugin “debug mode”.

For those of you not tech savvy, “debug mode” is where you get a computer program to talk about a lot more information than normal so you’re able to find ‘bugs’ (issues) with the program software you’re writing so you can remove (‘debug’) them.

Essentially, the program tells you everything, more publicly, including sensitive information. There was a text file on the Timcast.com website called “ipn_handle_debug_eMember.txt” which contained the pukings of the debug mode - exposing, publicly, thousands of email addresses over a stretch of time.

They would be written to the debug log every time someone attempted to log into the website, every time someone registered for a new membership so hypothetically you could also track activity, although I personally didn’t, it wouldn’t be hard to imagine there are others (cough NSA cough) who did.

Literally Anyone Could Have Viewed This

You couldn’t just directly visit the text file and view it, however — you had to be on the timcast.com website itself first, before you could view it. It is a bit like saying you can’t see an office room until you enter an office building. The website is public, so, this was zero challenge. Anyone could see this.

Once on the timcast.com website, you’d press F12 — this opens what’s known as the ‘developer console’ for your web browser. You can tell your browser to run arbitrary bits of JavaScript (a security risk, so don’t do this), including telling it to do work on website information.

The code I was given by the individual was this:

fetch('https://timcast.com/wp-content/plugins/wp-eMember/ipn/ipn_handle_debug_eMember.txt')
    .then(async data => { document.body.style.background = "#FFF"; document.body.innerText = "Loading..."; return await data.text() })
    .then(x => [...new Set(x.toLocaleLowerCase().split(/[\s|\n]/).filter(x => x.includes("@") && !x.includes("(")))])
    .then(x => document.body.innerText = x.join("\n"))

Don’t worry if you can’t read it, long story short, it loads the debug text file, it searches for lines of text with “‘@” symbols in them (synonymous with email addresses), and then neatly sorts the list.

It didn’t bypass anything, it didn’t inject any code into the website, nothing fancy, it was basically a data sorter for what was already public data. You could have just viewed the text file and done a manual, time consuming search yourself for the same result. The simplest version was:

location = 'https://timcast.com/wp-content/plugins/wp-eMember/ipn/ipn_handle_debug_eMember.txt'

Which basically says ‘just take me straight to that text document’. That was it. No security, no challenge, nothing. All public. To call this ‘hacking’ would be to call a walk in a public park — complete with disability access ramps — trespassing.

The security was so bad — literally walk in through the door levels of bad — that despite how serious it was, I could not contain my laughter. I was told by the individual who disclosed it, that it had been occurring for at least 8 months, and it took myself a good month on top of that to get the issue fixed despite throwing everything at the wall. Apparently it is fixed by toggling one setting, the equivalent to flicking a switch that says ‘close the public park gates’. Embarrassing.

Such mind boggingly huge and apparently security flaws being so difficult to get people to fix and disclose, surely makes me wonder what other dreaded tech issues there are out exposing our personal information.

Thankfully, this is one less problem people have to contend with, thanks to help from The Register, although it’d be nice if Timcast.com notified their subscribers of the information breach so they don’t run the risk of the law.

The Daily Beagle is currently powered by 7 paying subscribers, with a target of 200 to become financially viable! Help make this Substack become financially viable and become a paid subscriber!

Can’t afford to become a paying subscriber? Share this article and encourage others to subscribe!

See a mistake, got your own views?

Comments

[The Betrayed]

Well this is upsetting. Having been a member since the first month it was active and definitely logging in probably once a month at least I have no doubt my email.... which is literally my name... was leaked (rethinking that choice now obviously.)

I’m pissed he didn’t notify us. I’m tempted to drop a few super chats in his livestream tonight and be like, “wtf mate?”

[Father Neko]

Lmao what a idiot, is it intentional?