I recently tweeted a short thread having noticed an unexpected domain in my analytic system's "bad domains" list.
A "bad" domain is one that's serving my content, but is not one of my domains.
For example, if you were to download this page onto a webserver serving foo.example.com
, when someone viewed your copy of the page, I'd see foo.example.com
in my bad domains list. The same would be true if you instead configured a CDN (like Cloudflare) to serve my content under your name etc.
Ordinarily the list alerts me when I've made a mistake in configuration somewhere, as well as helping keep track of which Tor2Web services are active.
What I saw on that Saturday was somewhat different:
I'm censoring the exact domain name as identifying it in full doesn't really serve any useful purpose (although this post will use a fuller name than in my earlier tweet: part of the name is publicly discoverable anyway).
Someone had viewed a page containing my analytics at the url https://[subdomain].profound.cellebrite.cloud/webfiles/on/io/e26whn2524322mkxb3cbyk27ev2ihhq2biz35hty7gzgsyrwrygq27yd.onion/posts/blog/116-republished-freedom4all/C38EB530D1FD2C0105D250C1AB5E4319.OM20220324085844.html
This is interesting for a few reasons
-
Cellebrite are a digital intelligence company
- The path indicates that it's a mirrored copy of the www.bentasker.co.uk onion
- The filename
C38EB530D1FD2C0105D250C1AB5E4319.OM20220324085844.html
doesn't fit any naming convention I've ever used
- The file doesn't exist (I did initially worry that maybe I'd been compromised)
You might have heard the name Cellebrite before: they've been in the news a number of times, with topics including suggestions that they'd sold their services to Russia and Belarus, the assistance they provided in prosecuting the tragic Henry Borel case, and claims that they helped the FBI crack the phone of the San Bernardino shooter.
More recently, Moxie Marlinspike highlighted vulnerabilities in Cellebrite's UFED product.
I already knew of the company, not least because they popped up in the Bitfi stuff a couple of years back.
With a background like that, seeing their name anywhere near my stuff couldn't but provoke a bit of curiosity.
I reported my findings to Cellebrite (who have resolved the issue) and we'll look at their response towards the end of this post. I first want to explore the techniques used to highlight how just a little bit of meta-data can guide the discovery of so much more.
Read more…