Well, I hope someone is satisfied after hacking the Find Case People bot. Here's what I think happened...

A few days ago I noticed that the bot was mysteriously offline. The bot's log didn't seem to think it was offline, but it was. After trying to log it back on, no luck...

For a while I thought it was being rate limited, or that someone might have warned the hell out of it. But hours later it still couldn't get on. So I used AIM's Lost Password thinger to reveal the password, just in case.

The resulting password was random. I checked to make sure AIM sends you your current password and not a newly generated one. It does. Shit.

Bemused, I explored the possibilities...

  1. Some bizarre protocol event in the incomplete and patched-together OSCAR library I'm using randomized the password by accident
  2. Someone cleverly found a way to execute code by talking to the bot
  3. Someone obtained the code (with plaintext password) from Subversion
  4. Someone knows my Gmail password and had it sent
  5. Someone knows my SSH password and obtained the code (with plaintext password)
  6. Someone happened to browse to exogen.case.edu/now last week and obtained the code (with plaintext password)
  7. Some other wacky vulnerability

Anyway, I logged in with the new password, changed it to something new, and the bot was back online.

A few days later, the same thing happened again, only this time Lost Password requests weren't being sent to my e-mail address. This ruled out the "random" option, I think, since the e-mail address changed as well.

1. Some bizarre protocol event in the incomplete and patched-together OSCAR library I'm using randomized the password by accident

The fun part, of course, is that now I get to change all my passwords and play detective.

The bot's log showed that no one tried anything suspicious when playing with the bot. This also revealed that no one else signed on as the bot while it was running, since that would have resulted in a message from AOL System Msg.

2. Someone cleverly found a way to execute code by talking to the bot

The Subversion option is completely possible. I'm using a (trusted) friend's Subversion server, and sharing it with another (trusted) friend. So I could have him check some logs if they exist, but I can't do it myself.

Sadly, Google does not cater to the paranoid among us so I can't see who else was logging into my Gmail account, if anyone. But that feature would be pretty awesome.

My SSH log shows that only two IPs had accepted logins for the past couple weeks, and they were both mine. That was a relief. Unless they were really sneaky and messed with the logs.

5. Someone knows my SSH password and obtained the code (with plaintext password)

My lighttpd log shows that only two IPs had requested anything at exogen.case.edu/now ever, and they were both mine.

6. Someone happened to browse to exogen.case.edu/now last week and obtained the code (with plaintext password)

So, either Subversion or Gmail or something wacky is to blame. Dear Reader: can you think of any other possible points of security breach?

If you have any information regarding the mysterious disappearance of Find Case People, feel free to share it with the rest of us. Until then, I'm afraid the bot's out of commission.