Consultancy firm’s cybersecurity quiz pulled after researcher exposed vulnerability

Hacking quiz game Hacker IQ was forced offline after a security researcher exposed its vulnerabilities

UPDATED Deloitte’s Hacker IQ game, a quiz used to test a user’s cyber knowledge, was – somewhat ironically – hacked yesterday.

The popular game was taken offline last night (November 4) after security researcher Tillie Kottmann (@antiproprietary) gained access to the site.

Kottmann posted screenshots online including one image which contained the username and password for the site’s mySQL database in plaintext.

“I found the site while scanning for sites with exposed .git folders, allowing me to clone them using specialized tools (like git-dumper or goop), from the .gitignore file,” Kottmann told The Daily Swig.

“I then found the path for the config file and just tested if it would be accessible over http too.”

The quiz is also hosted on Ubuntu Linux 14.04, which has reached end of life, leaving it vulnerable to multiple unpatched flaws.

Funny games

Unsurprisingly, the incident caused a stir on Twitter as users pointed out the obvious irony.

“Love that amazingly strong SQL user/pass combo... deloitte:b3@th@cks,” wrote Joszef Kiraly (@fonix232), while Allan MacGregor (@allanmacgregor) joked: “Phew! good thing they are not a highly recognizable brand that is worth 30 billion dollars and are specifically experts on consulting and advising companies about this kinda shit.”

Kottmann’s tweet has, at the time of writing, already had more than 1,000 retweets and 3,000 likes.

A Deloitte spokesperson told The Daily Swig in an email that since the game is hosted by a third party – presumably digital media agency Tank, which designed the quiz – there has been no impact on its systems.

They said: “We are aware of an incident that involved unauthorized access to an interactive game/website which was developed for a cybersecurity event in 2015.

“The platform is hosted by a third-party and is distinct from any other Deloitte system; there is no impact to any other Deloitte system. The site has not been actively used since 2015 and has now been taken down.

“We remain vigilant in assessing this incident and other potential cyber threats. We are deeply committed to maintaining cyber defenses that are aligned to best-in-class practices, to investing heavily in protecting confidential information, and to continually reviewing and enhancing our cyber security.”

This article has been updated to include comment from Deloitte.


YOU MAY LIKE Breaking the Covenant: Researcher discovers critical flaw in open source C2 framework