Announcement

Collapse
No announcement yet.

Alexis park hotel SSL key == owned?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Alexis park hotel SSL key == owned?

    If anyone hasn't noticed already the ssl key for alexis park's webpage including their online reservation section has been replaced by a key issued to computer.njd.xo.com. Who wants to put money down that someone has owned their entire reservation system and has every person's cc number.

    check out www.hacksec.org

  • #2
    It's ok Frogger, we know it was you.
    Killing threads one post at a time...

    Comment


    • #3
      rofl, yea .. it was all me

      all your cc's are belong to frog

      Comment


      • #4
        Yikes...

        I can tell you one thing, whomever did it admin, script kiddie or otherwise knows shit about PKI, or CA and the usage of PKI. :)

        E = www@snakeoil.dom
        CN = www.snakeoil.dom
        OU = Webserver Team
        O = Snake Oil, Ltd
        L = Snake Town
        S = Snake Desert
        C = XY
        Attached Files

        Comment


        • #5
          this is the cert you get when you actually go through their reservation system. i had to goto the page properites and look at the certificates because it never prompted me with an error saying it was untrusted (BAD).
          Attached Files

          Comment


          • #6
            Is it still up? I just went there http://www.alexispark.com/reservations/reservations.htm and there is no ssl at all... :/ though if you go to https://www.alexispark.com/reservati...servations.htm you get the cert I posted. They are suposed have the entire session in ssl... no idea if they are going ssl after you submit that cc, that would be just too stupid..

            Comment


            • #7
              Originally posted by blackwave
              Yikes...

              I can tell you one thing, whomever did it admin, script kiddie or otherwise knows shit about PKI, or CA and the usage of PKI. :)

              Errr...folks? That's the default "example" cert that you get with a default OpenSSL install, if you forget to install your own cert (or accidentally point to the example cert file instead of the real one).
              http://bitshift.org

              Comment


              • #8
                goto https://reservations.alexispark.com/...ions/step1.asp

                the reason it doesn't show as being encyrpted is because it is contained in a frame and the outer "main" frame is not encrypted.

                this is NOT the default snake oil cert.

                CN = computer.njd.xo.com
                OU = Terms of use at www.verisign.com/rpa (c)00
                OU = Operations
                O = XO Communications
                L = Secaucus
                S = New Jersey
                C = US

                xo communications is a hosting company and it turns out that a whois on reservations.alexispark.com returns ......

                OrgName: XO Communications
                OrgID: XOXO
                Address: Corporate Headquarters
                Address: 11111 Sunset Hills Road
                City: Reston
                StateProv: VA
                PostalCode: 20190-5339
                Country: US

                computer.njd.xo.com A 216.156.95.40
                reservations.alexispark.com A 216.156.243.245

                so what is the conclusion??

                alexispark uses an XO box to do its online transactions that is called computer.njd.xo.com. false alarm but seemed way too fucking suspicious to me.
                Last edited by cyberfr0g; May 7, 2003, 19:09.

                Comment


                • #9
                  The cert is trusted by Verisign... doesn't appear invalid at all. Just looks like they misconfigured the subject's cn.

                  CN = computer.njd.xo.com

                  CN = computer.njd.xo.com
                  OU = Terms of use at www.verisign.com/rpa (c)00
                  OU = Operations
                  O = XO Communications
                  L = Secaucus
                  S = New Jersey
                  C = US
                  which should be:
                  reservations.alexispark.com

                  instead.

                  Comment


                  • #10
                    I doubt seriously if anyone used the online res form. I couldnt get the days I wanted online so I called the AP personally. Using a friends card of course.

                    Comment


                    • #11
                      Originally posted by pezz
                      I doubt seriously if anyone used the online res form. I couldnt get the days I wanted online so I called the AP personally. Using a friends card of course.
                      A lot of people did before the dates were confirmed, back when you could get the regular rate instead of the "special Defcon rate" (aka, the jacked up rate).
                      the fresh princess of 1338

                      What did I do to make you think I give a shit?

                      Comment


                      • #12
                        So the defcon rate makes it more expensive?

                        Comment


                        • #13
                          Originally posted by pezz
                          Using a friends card of course.
                          i would haate to be YOUR friend......!
                          the fresh prince of 1337

                          To learn how to hack; submit your request

                          Comment


                          • #14
                            Originally posted by KeLviN
                            i would haate to be YOUR friend......!
                            Why Kelvin, I am truly hurt. :(

                            Comment


                            • #15
                              i'm sorry...<hugs pezz w/ wallet tightly gripped in hand>;)
                              the fresh prince of 1337

                              To learn how to hack; submit your request

                              Comment

                              Working...
                              X