How Patreon made themselves a hole

As you might have heard, Patreon was breached and had its database and code dumped on the Internet. Canary has a copy of all e-mails and they are now all searchable.

I wrote this elsewhere, but this is how Patreon created a problem for themselves.

It's pretty easy to enable debug within Werkzeug but it isn't enabled by default. It's also not by default listening on "0.0.0.0" but rather instead by default "127.0.0.1".

Here's exactly what they did in the code (this is straight from the dump):

    web_app.debug = patreon.config.debug
    web_app.run('0.0.0.0', port=args.port, use_reloader=False)

Then in the patreon.config.debug string, it had a true statement:

debug = True

Whoever enabled this server wouldn't have fed arguments to enable it as it was hard-coded into the application. All someone had to do was just type "python patreonweb.py" and the server would be ready to go with debug-mode enabled.

Detectify Labs wrote a blog entry and linked to a previous one of mine. Don't enable debug on Internet-facing servers and if you can help it don't enable it to listen on "0.0.0.0" either.