You can find the text version here.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

           ###       ###         ###############        ####   #  ---
           ####      ####        ##############      ######## ## | R |
            ###       ###        ###      ####      #####  #####  ---
            ####      ####      ####      ###      ###       ##
             ###      ####      ###      ###       ##
             ####    ######    ####     ###        #
              ###    ######    ###     #####       #
              ####  ### ####  ####    ########     #
               ### ####  ### ####          ####
               #######    #######           ####
                #####      #####            ####
                #####      #####            ####
                 ###        ###    #        ####               #
                 ###        ###   ####     ####    #         ###
                  #          #     ###########      ###########
                  #          #       #######          #######

                              < ankh> mmm?
                              < ankh> oh, heh


                               W3C Security Drill

                               brought to you by
                                    wowaname
                                     at the

................................................................................
...............-'`'`-..................................irc.krustykrab.restaurant
.............(..THE...).........................................................
............(..KRUSTY..)................*................*......................
......*......\..KRAB../....___....._....|............____.......................
..............\ \__/ /...,',-.`___|_|___|__________,',,-.\......................
...............-\__/--../ /_____:|:_______________/ //\/\\\..........*..........
......._  .----__==;-../ /__.-._________:|:_.-.--/ //\/\/\||....................
......'-.^-^-^'_,-'|..| |   '-' [_] [_] [_] '-' | ||\/\/\/||....................
.........`----'....|..| |--------_________------| ||/\/\/\||....................
...................|..| | [_=_] |    |    |  / /| ||\/\/\/||....................
...................|..| |  / /  |    |    | / / | ||/\/\/\||.........*..........
.........*.........|..| | / /   |   '|'   |/ /  | ||\/\/\/||....................
...................|.,+-'------.+|   |   _|_____|_||_.----''|...................
- ----------------,|-|_________|.'------|________|___.-----'--.-----------------
.................'-|__________           ___==>_____________--'.................
............................./          /....|..................................
____________________________/          /________________________________________


                                  Introduction

The World Wide Web Consortium (W3C) is well-known on the Internet for being the
powering force behind widely-used standards we use in our Web technologies
today. This same Consortium seems to have an issue with basic account security.

Tim Berners-Lee, also known as "timbl" or the "inventor of the World Wide Web",
uses the W3 IRC network (irc.w3.org) much like other W3C team members. And like
a few other people, he also had a misconfigured client that sent his password to
NickServ regardless of the network.

                                     Method

Simply put, I logged onto W3's network as NickServ, sat there for a while, only
so I could get a password to log onto the restricted server on port 6697, where
all the team-only channels are. Also, I wanted a few w3 freenode accounts under
my belt.

The first password I get from a team member is from a user named "timbl". At the
time I was just excited I got a password so quickly. I whois timbl before
reconnecting, see his real name is "Tim Berners-Lee", do a search on him, and
when I find there is a Wikipedia article on him, I began to smile. Yes, this was
the first time I've actually bothered to look up this person. I visit the
article to see just which W3C member's password I received, and see that I have
just stolen the W3C director's password.

                                 First attempt

                     < timbl> identify 4knEizx34vdedouZ9c9l

I log in to the team IRC (irc.w3.org/6697) with success and see what channels
are available. I poke around silently for a bit to see activity in a few
channels. Nothing too interesting. Once I recall that the password also works on
the W3 website, I log in with the same credentials, again with success.

On the website I just looked around for a bit (there are a lot of links) and
only decided to deface timbl's biography on https://www.w3.org/People/ with
links to my website and a JavaScript alert. By this time, many people have
already seen the /amsg I posted across all IRC channels in which I was joined,
stating that I had access to timbl's account and giving the password out openly.

This incident was met with a silent password reset by timbl a few hours later.

                                 Second attempt

           < timbl> identify 6sUOKqabnCE3j5tG4nsZcuVstkfFSLc+HpMRwPbm

A longer password means he can't be compromised again, right?

This time, I was more calculated. I logged in only to the site and started
sifting through page links to see where I ended up. I found team-only mailing
lists, IRC logs and miscellaneous files, a couple of project wikis, a Gitlab
instance, and a few other interesting configuration scripts and information
pages.

Below, you will find what I managed to grab (all of the IRC logs up to 2016
April 07, as well as a partial archive of the mailing lists) before timbl
decided to reset his password again. I wish I could have scraped the remainder,
but NickServ is now juped on W3 IRC (and every time I flood it off, an oper
kills me off it) and timbl has not logged in for a few days.

                                     Links

https://archive.is/LHTFR - an archived copy of https://www.w3.org/People/
    View the source (view-source:https://archive.is/LHTFR) and search for "PGP".
    I signed a blank message with key 0xCB641501.

http://krustykrab.restaurant/w3.txz
    188 MB (835 MB inflated) archive of IRC logs, ML mailboxes, screenshots, and
    a few other files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXEHN7AAoJEPoWo4zLZBUBh/oP/AyxgdZeEGbreBYzP24wCJPR
hF/SJ/Jt7GiyvlJp4T0/vmh+AvxTtUnxy/2eQFReGGnThRaTMDma1tCJPEHHuOaz
jkm4vhJ4pfTmlDm6wIUD/uXd5lj96jkGx0zK0NArmy0XGXDM2DcTBE5yGuoKqsCe
5NLuMae0kJRmjQ3iInbkPn65k4JFpRXw+6SycL0NSYFFJvYZ7U2NNmVvTHoAsd47
HRz5nxTXeQa/kRysNuEczHmcpp97igM21mrWZm6v49uXt3SB2P1vgGGWgTn5qy3Q
w3ZFDOGIn0pZ1NlKLY7xnp0DfdbofONWew7m1PHvd/MwBuJEy09N88NA6l2vjwcg
DjC1n6kh4GkHZfNX19bipJd8lxxy8JipAW8klREmLvRKM1X1trM59vgDoKY4H1S0
A05iosJmcye9gL9f77g+Rwfh0SRSvmk3lPwcpnhRJ2vaoyTotQvPd7uY9r7GCmmY
NE7EMdJ5sKnfWx5vePKqzOcsMnVrnQ8rDXnXm/UZ75F44vVDrMZEiqcuLeZBz34+
FHYIKTcbOqQphTy4qcn0WNspV+6JjFKBmK1g2BxAs3TF5wCkcOI6y/wPO90wGxiw
Dvtq23c66T1UbqcBAeTQag+lKKVzMwWRtvGlchLAc77IcP/PYsJxjtNCFSYRORw4
5iVPjaYJTsHRh7v+A7f4
=fBN3
-----END PGP SIGNATURE-----