High School Sports

Hacker who posted ‘pwned’ on MIAA website says they hoped to help expose security flaws

"I just literally wanted to talk to these people."

A hacker who goes by the names "netsaosa" and "g0retrance" got into the MIAA website on Monday, hoping to draw attention to site insecurities. Screencap courtesy of Meredith Perri

A hacker who goes by the screen names “netsaosa” and “g0retrance” got into the Massachusetts Interscholastic Athletic Association (MIAA) website on Monday and posted “pwned,” briefly derailing the release of the MIAA’s official statewide brackets for state tournament games.

Reporters noted the delay before MassLive.com’s Meredith Perri realized the site was compromised.

A pop-up in front of the site redirected users to a Twitter account for g0retrance. At the bottom of the page, underneath the word “pwned,” g0retrance left the message, “should have listened to my emails instead of ignoring me … don’t worry, this is harmless. just to get ur attention :)”

Advertisement:

According to g0retrance, who spoke to Boston.com via email on Monday evening, the intent behind the hack was simply to draw attention to flaws in the MIAA’s website.

“I didn’t hide myself on purpose because I just literally wanted to talk to them about this,” g0retrance wrote. “I wanted to help but was ignored.”

The user first noticed the flaws in late September and said they got in touch with the MIAA via email noting the vulnerabilities.

But per the hacker, the MIAA never responded to multiple queries.

“You know what’s funny… I actually had no idea what was going on today,” g0retrance wrote, referencing the release of the statewide brackets. “I just did it again because I was bored and I got zero response from [the] MIAA.”

According to g0retrance, the site’s issues could have caused “a series of events that could be detrimental to the site’s reputation and even user data” if discovered by a bad actor. To get into the site, g0retrance outlined a process by which they accessed login cookies and gained administrator access.

A user looking to do more than post “pwned” could have done a number of malicious things, per g0retrance, including surreptitiously gaining access to individual user data.

Advertisement:

“I’m sad it came out this way,” g0retrance wrote. “I just literally wanted to talk to these people.”

In a statement to Boston.com, an MIAA spokesperson said they were aware of the situation and were “working with our site developer to remedy any potential website matters.”

Per g0retrance, the issues have indeed been patched over — later attempts to get into the site were rebuffed. They were discouraged, however, that an attempt to help the MIAA guard its website against future hacks — or even hacks that already occurred — could lead to legal issues.

“They ignored me. ignored me. ignored me,” g0retrance wrote. “I honestly feel hopeless now because now I’m being threatened with legal action, someone actually malicious could have caused something way worse; what I did was basically harmless.

“I didn’t intend for this much chaos to happen.”

Jump To Comments

Conversation

This discussion has ended. Please join elsewhere on Boston.com