Gas Station ATGs Exposed to Public

HD Moore from Rapid7 recently disclosed that over 5800 Automated Tank Gauges at gas stations around the world were publicly accessible. Anyone connected to the internet can now view the in-tank inventories of the gas stations and manage the gas tanks.

The process to access the gauges is simple:
1. Telnet into port 10001 of an ATG’s IP.
2. Type ^A (Ctrl A) followed by I20100. This command outputs a basic report.

ATG telnet info

There are over 600 commands that can be executed, some of which include setting alarm thresholds, editing sensor configurations, and running tank tests. You can view them all in the vendor manual.

Commands

A list of affected IP’s can be found on Shodan.

Fake Link Clickjacking

Chances are that you’ve already been a victim of this.

If you’ve used Google search with your Javascript enabled, you might’ve noticed that when you hover over a result, the link that shows up in your browser is to the respective website. But when you actually click on it, you are sent to a Google URL that redirects to the original site. Google does this for analytic reasons, so it’s fairly harmless to users.

This type of clickjacking, like almost all other forms of clickjacking, uses Javascript. The version I wrote, however, is a little better than what Google uses. But first, let me start with a live demo:

You may think this link leads you to Google. But try clicking it.

You might think, pretty harmless right? But what about something like this:

You can probably now see how this could be used.

The method is fairly simple – you just change the href on the anchor right before the mouse click is released by using onmousedown. If you click and hold the link, you’ll see that the URL changes to Bing.

What makes my code different than Google’s? Well, if you click and hold a link on the Google search results and end up dragging away (basically not fully completing the click), the URL is permanently changed to the Google one. The code I have restores the original URL every time the mouse moves over the link. It’s not a big change, but it could make a difference.

Without much further ado, here’s the code.

Spotify Ad Blocker

Note: To view the download page, visit: https://www.ericzhang.me/projects/spotify-ad-blocker-ezblocker/

Unsatisfied with the current ad blockers for Spotify, I decided to make my own.

The major problems I found with the publicly available ones were:
(1) They hook onto Spotify in a really weird way that messes up the window (can’t minimize, drags Spotify off the screen, changes Spotify’s size to 1×1)
(2) They didn’t work at times (ads still played)
(3) They didn’t work with some Spotify apps (most notably, Soundrop)
(4) Some just mute the whole computer instead of just Spotify.

The solution? EZBlocker! It’s is an extremely simple ad blocker for Spotify that works on a blacklist (“blocklist”). When an ad plays, a notification balloon will appear, which, when clicked, will add that ad to the blocklist. When an ad is blocked, only Spotify is muted, so other sounds (like ones from a game) will be unaffected.

There’s no fancy features, just pure ad blocking. You can find a download link and the source code on my projects page here.