Dialog Claims It Was Hacked. A Misconfigured Website Left Its Members Exposed
Dialog Claims It Was Hacked. A Misconfigured Website Left Its Members Exposed
Dialog 声称遭到黑客攻击,实则因网站配置错误导致成员信息泄露
Dialog, the invite-only group cofounded by Peter Thiel, notified members and past event participants last week that a database containing their personal information had been breached, supposedly by a criminal hacker. But a WIRED analysis found that the files were readable to anyone who visited a landing page for the group’s app—what cybersecurity experts describe as a misconfiguration that effectively made the data publicly accessible.
由彼得·蒂尔(Peter Thiel)联合创办的受邀制组织 Dialog 上周通知其成员及过往活动参与者,称一个包含他们个人信息的数据库遭到入侵,据称是黑客所为。但《连线》(WIRED)杂志的分析发现,任何访问该组织应用程序落地页的人都能读取这些文件——网络安全专家将其描述为一种配置错误,实际上使数据处于公开可访问的状态。
The notification to people affected by the data exposure, emailed by Dialog managing director Juliette Levine and provided to WIRED, said that forensic investigators found that the names of 113 past participants in Dialog events had been exposed and, separately, “some” people registered for this summer’s Dialog retreat had their information accessed. Levine said the organization had temporarily closed many of its systems in response.
Dialog 常务董事朱丽叶·莱文(Juliette Levine)通过电子邮件向受数据泄露影响的人员发送了通知(并提供给了《连线》),称法医调查人员发现 113 名 Dialog 过往活动参与者的姓名遭到泄露,此外,还有“部分”报名参加今年夏季 Dialog 务虚会的成员信息被访问。莱文表示,该组织已暂时关闭了许多系统以应对此次事件。
The exposure, Levine alleged, “was a hack executed by a well-known criminal who is wanted in the United States,” adding that the group had acted “out of caution” to protect “the safety, privacy, and reputation of every Dialoger past and present.”
莱文声称,此次泄露“是由一名在美国被通缉的知名罪犯实施的黑客攻击”,并补充说该组织采取行动是“出于谨慎”,旨在保护“每一位过去和现在的 Dialog 成员的安全、隐私和声誉”。
Multiple reviews of the site’s publicly accessible architecture, though, point to a misconfiguration, not a break-in.
然而,对该网站公开架构的多项审查表明,这并非入侵,而是配置错误。
WIRED first reported on the Dialog records last week. They include the list of 113 names that Dialog confirmed to be past participants in its breach disclosure—among them a sitting NATO commander, two US senators, and the US treasury secretary—as well as a separate, longer list of people registered for an August retreat outside Dublin, Ireland. WIRED also reported on records that revealed how the group privately scores attendees, weighing their wealth and prominence in decisions about admission, seating, and pricing.
《连线》上周首次报道了这些 Dialog 记录。其中包括 Dialog 在泄露声明中确认的 113 名过往参与者名单(其中包括一名现任北约指挥官、两名美国参议员和美国财政部长),以及一份更长的、报名参加 8 月在爱尔兰都柏林郊外举行的务虚会的人员名单。《连线》还报道了相关记录,揭示了该组织如何私下对参会者进行评分,并在决定准入、座位和定价时权衡他们的财富和知名度。
A Dialog site, set up to distribute a phone app for the August gathering, let any visitor sign up using any email address. It did not request a password. After submitting an email, the visitor was taken to a near-empty holding page; the same page also loaded the internal files on some 200 people into their browser. Viewing the files required little more than inspecting the page with tools built into every major internet browser.
Dialog 为 8 月聚会分发手机应用而设立的一个网站允许任何访问者使用任意电子邮件地址注册,且无需密码。提交电子邮件后,访问者会被带到一个几乎空白的页面;而同一页面会将约 200 人的内部文件加载到浏览器中。查看这些文件只需使用主流互联网浏览器内置的“检查”工具即可。
The records made accessible by this process include senior figures in national security and technology, both current and former. Among those whom records showed as being registered for the upcoming Dialog event were NATO officials; a current White House intelligence official; a retired general who held a senior role in US intelligence; and the heads of national security policy and partnerships at two leading AI firms. Other figures included a former British security minister, a former Japanese defense minister, and a former Pakistani diplomat. For nearly all, the exposed data is comprehensive, from private contact information to active login tokens.
通过此过程泄露的记录包括现任和前任国家安全及科技领域的高层人物。记录显示,报名参加此次 Dialog 活动的人员包括北约官员、现任白宫情报官员、曾在美军情报部门担任高级职务的退役将军,以及两家领先人工智能公司负责国家安全政策和合作伙伴关系的负责人。其他人物还包括前英国安全大臣、前日本防卫大臣和前巴基斯坦外交官。对于几乎所有人来说,泄露的数据都非常全面,从私人联系方式到有效的登录令牌应有尽有。
The records also contained participant lists, schedules, and links to completed questionnaires hosted by Fillout, a service Dialog used to collect information from attendees and store it in Airtable databases. Loading one of those forms returned far more information than the Dialog page itself contained, including dates of birth, emergency contacts, cell phone numbers, the political leanings Dialog assigns to its members, internal rankings and grading notes, and the digital keys that serve as members’ logins. Much of that information appeared to come directly from Dialog’s Airtable records.
这些记录还包含参与者名单、日程安排以及由 Fillout 托管的已完成问卷的链接。Fillout 是 Dialog 用来收集参会者信息并将其存储在 Airtable 数据库中的服务。加载其中一份表格所返回的信息远多于 Dialog 页面本身包含的内容,包括出生日期、紧急联系人、手机号码、Dialog 为其成员设定的政治倾向、内部排名和评分备注,以及作为成员登录凭证的数字密钥。其中大部分信息似乎直接来自 Dialog 的 Airtable 记录。
In a statement to WIRED, Fillout says it was “not aware of any compromise of Fillout systems or active platform vulnerability.” The company says customers configure their own forms, connected data sources, and workflows, and that “the behavior of a given form depends on that configuration.” Fillout declined to comment on any specific customer’s forms or records.
Fillout 在给《连线》的一份声明中表示,它“未发现 Fillout 系统受到任何损害或存在活跃的平台漏洞”。该公司表示,客户自行配置表格、连接的数据源和工作流程,“特定表格的行为取决于该配置”。Fillout 拒绝就任何特定客户的表格或记录发表评论。
Dialog, which did not respond to requests for comment, had outside counsel send a letter this weekend demanding WIRED hand over a copy of the data it had received. The letter, signed by partner D. Reed Freeman at the law firm ArentFox Schiff, characterizes the breach as a “cyberattack” by a “known cybercriminal,” argues the files were “stolen,” and says Dialog has also reported the incident to law enforcement. WIRED has not provided Dialog or its attorneys with any data.
Dialog 未回应置评请求,但本周末聘请外部律师致信《连线》,要求其交出所收到的数据副本。这封由 ArentFox Schiff 律师事务所合伙人 D. Reed Freeman 签署的信件将此次泄露定性为“已知网络罪犯”发起的“网络攻击”,声称这些文件是“被盗的”,并表示 Dialog 已向执法部门报告了此事。《连线》并未向 Dialog 或其律师提供任何数据。
The exposure first came to light after maia arson crimew—a Swiss journalist and cybersecurity researcher who was indicted in the US in 2021 on hacking-related charges but has not been convicted of any crimes—received tips from two sources, she says. One had been reviewing US Department of Justice records related to Jeffrey Epstein when they noticed Dialog’s name on an invitation sent to a third party in 2012, which had been forwarded to the infamous sex offender, and grew curious about the secretive group. A second source later pointed crimew to the retreat app.
此次泄露事件最初是在 maia arson crimew(一位瑞士记者兼网络安全研究员,曾于 2021 年在美国因黑客相关指控被起诉,但未被判有罪)收到两条线索后曝光的。据她称,其中一人在查阅与杰弗里·爱泼斯坦(Jeffrey Epstein)相关的美国司法部记录时,注意到 2012 年发给第三方的一份邀请函上出现了 Dialog 的名字,该邀请函后来被转发给了这位臭名昭著的性犯罪者,从而对这个神秘组织产生了好奇。第二位线索提供者随后向 crimew 指出了这个务虚会应用程序。
crimew says she neither exploited a software flaw nor bypassed any security measures to access the Dialog data, and viewed the same records that were available to every visitor’s browser.
crimew 表示,她既没有利用软件漏洞,也没有绕过任何安全措施来访问 Dialog 数据,她所查看的记录与每个访问者浏览器中可见的记录完全相同。
Nicholas Weaver, a member of the nonprofit International Computer Science Institute’s network security team, says the exposure bears the hallmarks of a web design error rather than a sophisticated intrusion. “This is negligence and a not-actually-unheard-of anti-pattern,” Weaver says, referring to a common but avoidable mistake.
非营利组织国际计算机科学研究所(International Computer Science Institute)网络安全团队成员尼古拉斯·韦弗(Nicholas Weaver)表示,此次泄露带有典型的网页设计错误特征,而非复杂的入侵。“这是疏忽,也是一种并不罕见的反模式,”韦弗说道,他指的是一种常见但可以避免的错误。
Aaron Mackey, deputy legal director at the Electronic Frontier Foundation, a digital rights nonprofit, says that based on what’s publicly known about outside access to Dialog data, characterizing the activity as “criminal” appears “far-fetched.” He warns that broad computer-crime laws are sometimes invoked to chill security research, journalism, and…
数字权利非营利组织电子前沿基金会(Electronic Frontier Foundation)副法律总监亚伦·麦基(Aaron Mackey)表示,根据目前公开的关于外部访问 Dialog 数据的信息,将此行为定性为“犯罪”显得“非常牵强”。他警告称,广泛的计算机犯罪法律有时会被援引来压制安全研究、新闻报道和……