For a young infosec guy without industry experience, lviging somewhere where the industry barely exists, few options are immediately available to ply your trade besides freelancing. Being under-networked, this meant spinning up a Fiverr profile and essentially hoping for the best. I didn’t take the pursuit especially seriously. I was busy, with Tarnished Tale, Tapestry, and trying to find work more permanent than my soon-to-expire contract with Computers For Schools.
However, from time to time I would get direct requests in my inbox for contract work. Most of the time, a simple exchange would be enough to see whatever I was going to be asked to do was either a scam or illegal (or often both), and as usual I’d engineer some excuse.
Last week, though, I talked through some simple work with a prospective client on Fiverr. The conversation was simple, as was the work, and it fell under the line of “simple enough to not dig too deeply into.” Someone, a student (I assumed), wanted something they’d built tested for an SQLi vulnerability.
Simple simple simple. I could do that in an hour or two. Hell, I could use some pizza money. So I agreed to do the work for a laughably small sum, got the target IP and hostname, had the client attest that the server was indeed theirs, and off I went. I had two days to do probably about five hours of real work, including the report.
On a whim, I span up the client’s IP and was surprised that nothing came up directly, just a simple error message. Figuring I probably missed some port information, I tried what any idiot might - I punched in the hostname as a URL.
Sure enough, this immediately pops up an access portal for a service provided by an established educational institution. My eyebrows went up, so in short order I found that org’s IT contact (not finding a good security contact), and reached out. Normally you don’t warn the blue team, but I had some suspicions at this point. Who the hell tests prod for something so trivially findable in test?
Sure enough, within hours, I’ve started a veritable storm of emails with the target org. The conversation escalates to chief of IT within a few hours and it’s made abundantly clear that neither I nor my client had anything remotely resembling permission to proceed.
Alright, lesson learned: don’t be so half-assed in my due dilligence work. In point of fact I no longer offer pentesting through third-party services. It will be a while, but eventually, I’ll probably offer them first-party through either Patch Savage Labs or a spinoff.
In the meantime, though, my tweet on the subject got picked up by the Big Kids of Infosec. It’s been about a week and my inbox is still blowing up on the matter. Happily, I even aquired a freelance gig for some python development out of the deal, and what’s more, I have the possibility for more work down the road.
So, cheers to covering your ass. It turns out professional paranoia extends beyond figuring out how someone would scam your clients - you should watch your own back, too.