The Jester posted a link to data exfiltrated during last week's Webkit exploit aimed at mobile device users who scanned the QR-code posted as an avatar on his Twitter account and then were cross-referenced with a database of targeted jihadi and Anonymous operatives...
* * *
Anti-jihadi hacker and Anonymous/AntiSec/LulzSec nemesis The Jester (th3j35t3r) claims to have pulled a fast one on some undesirables, taking advantage of the target's curious nature and a known smartphone exploit.
"It was a highly targeted and precise attack, against known bad guys, randoms were left totally unscathed," The Jester blogged.
The operation was intended to snare unsuspecting targets The Jester had previously identified and aggregated in a database, while supposedly leaving non-targets unscathed.
"At the beginning of this week just hours before the news of Hector Monsegur’s arrest broke, many of you will have noticed that my twitter profile pic changed from the usual ‘Jester Mask’ to a QR-Code. The timing of this subtle change could not have been more favorable," Jester wrote.
Those who scanned the QR-Code with any Android or iPhone mobile device were automatically directed to a website that displayed The Jester's oft used avatar and the message "BOO!".
"So in a nutshell when anyone scanned the original QR-Code using an iPhone or Android device, their device would silently make a TCP Shell connection back to my remote server... With Netcat listening at the other end for incoming connections, you can configure it to execute it’s own script when it receives a connection," he continued.
Those who scanned the QR-Code were then cross-referenced with Jester's database of known targets, and those targets were subsequently pwned, having their address books, texts and emails exfiltrated.
"If the pre-requisite conditions outlined above were met and the devices twitter client WAS associated with an account on the ‘shit list’ things got very interesting. Another script fired elevating permissions and raping the SMS logs, call logs, & phonebooks and (as long as the user was using the default out of the box email client) emails stored within. Creepy? Only if you are naughty," Jester tauted.
The Jester states that the QR-Code was scanned as many as 1200 times, with more than 500 of those scans referring users back to the server. The operation then identified and undisclosed number which corresponded with the target database.
The operation was intended to go on for a few more days, but The Jester cut it short after a keen-eyed Twitter follower noticed the embedded code and inquired about it.
"In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How’s that for ‘lulz’?" Jester said.
Needless to say, there are probably more than a few jihadists and scriptkiddies who are in a near-pucker with this disclosure.
The full write up on the exploit along with screenshots and exploit code samples can be found here: