Arthur “was just training” when he found the breach in May 2019. After a year and without being fixed, the hacker decided to play around with the condition of the page by injecting an XSS – a type of rudimentary vulnerability that allows you to redirect the user to a page with the same domain, but belonging to the attacker. “I found the page and realized that it looked old; I thought about injecting XSS and it worked! ”he said in a conversation. “I decided to make a joke due to the current situation and to call attention to [the vulnerability] being corrected”, he adds.
The technique is simple, but it can hurt the integrity of multiple users. By directing them to a page visually identical to the expected destination, ensuring trust to the page, the victim can provide sensitive data to the attacker. This, in entities such as the Federal Supreme Court, is an extremely serious occurrence. The page injected by Arthur is still on the air at the time of writing this article. In it, it is possible to enjoy one of the first versions of Minecraft, especially named STF Craft.
Arthur’s second “joke”
In June last year, Arthur Carrenho performed an even more remarkable feat. The researcher applied the same strategy to the servers of Bank of America, the second largest bank holding company in the United States. The XSS injection ensured that the Doom game was played directly from the institution’s servers.