How-To: Leaking In Two Steps

In Lowering the Bar for Leakers I proposed this method for leaking login credentials:

  1. Write login credentials (not your own), login URL, on paper
  2. Mail to (news address) – no return address
  3. News Media: Destroys all leaked credentials upon receipt

Easier than the convolutions you will find at: How easy is it to securely leak information to some of America’s top news organizations? This easy or Attention Federal Employees: If You See Something, Leak Something, but we can do better.

A Universal (nearly) and Secure Leaking Point

Can you think of one characteristic shared by almost all websites? Aside from being on the Web?

The ability to create an account for news and updates!

Like this page from the New York Times:


Warning: Leak login credentials to sites using the https protocol only.

Leaking access to a publicly accessible server

Leaking your sysadmin’s, boss’s, co-worker’s credentials, you enter:


Leaking access to a server on a restricted network

For servers or resources requiring more than one set of credentials, say on a secure network, again using your sysadmin’s, boss’s, co-worker’s credentials, you enter:


Leaking In Two Steps

The leaking of login credentials (not your own) is two steps:

  1. Create account from non-work computer
  2. Enter login credentials as account details

You are protected by:

  1. SSL encryption
  2. Safety in numbers – Study finds that 97% of large companies have had credentials leaked online
  3. Credential duplication is a well-known fact – 17% of passwords are “123456”
  4. Not facing the risks of a sneakernet thief to steal, transport and deliver data in hard copy or digital format

This technique will work with agencies, banks, corporations, courts, governments, legislatures, PACs, anywhere that requires digital login credentials.

I used email and password fields here but that is just an artifact of the New York Times form. Other parts of a form and other separators are certainly possible.

PS: Don’t leak credentials to me because my site doesn’t have SSL (right now) and I’m not in full control of the server.

Personally, if I were to accept leaked credentials, I would store that data on a RAM disk.

Comments are closed.