Optus Hack in lay terms

Was the ‘Optus Hack’ a sophisticated attack? Absolutely not!

October, 2022 - Author Kelly Mills


What happened with the Optus hack - a short non-technical answer for the Optus Hack

Any reasonable IT person, web developer or my 10-year-old son, will tell you that you can inspect a website, view, and copy URL Links, but what you can see, and access should not be even close to allowing a hacker to unlock Pandora’s box.

From the available information released by the Optus Hacker and the journalist the Optus hacker contacted twitter@JeremyKirk, we have broken down in to lay terms what has been reported to have happened for you.

First, a successful authenticated log in occurred. This logged in person could then see a link to the Optus server, a URL that should have only shown the data relevant for the 'Contact ID' for the actual logged in user.

The 'Contact ID' related to the logged in user was not encrypted, and the hacker tested to see if another similarly formatted Contact ID might work for the link, for example, you are Contact ID 1003621, and I am Contact ID 1003629, so you could just ping other similar Contact ID numbers to see if it worked, and it did work 😬

I cringed with the lack of forethought and ignorance of emplacing basic web security protocols

No further authentication required across Contact ID's

To add to our distress, of this ‘Hack,’ when a different Contact ID information was requested from the Optus Server, the system according to reports did not require any further authentication, the original token and worse password must have been sufficient. So no, not a savvy hack, not much of a hack at all. Once logged in the link or address to access data was open and *Authenticated.

Optus report the link was only intended to be used by the Optus internal systems, but the simple fact remains that the link was there for all to see. Claims have been made of sophisticated access but that is not our technical opinion based on the information available. The link was initially published and accessible for all to see.

How the Optus Hack could have been easily averted

We suggest that these are three things Optus could have done to change the outcome of this horrendous data breech.

  • ID Numbers would have been better protected if they had been GUID’s, ensuring that even copious amounts of computer-generated guesses might not have produced fruitful results.

  • The ID could have been cross affiliated with the authentication token. GUID + Token = Access

  • Lastly if the link Optus mentioned was internal or linked to an API, it should not have been exposed in this fashion or at all. If it was required in traffic, it should have been masked, hidden, or encrypted.
  • One or all three of these security measures would have made access hard/impossible for even an extremely Savvy hacker and would have stopped the hack from happening at all.

    This is exactly what we refer to in our article Is being hacked enough to destroy your Law Firm? about hacks being opportunistic crimes. It is an interesting read.

    Kelly Mills is a Financial and Technical Writer and Software Entrepreneur