Unknown hackers have broken the URL hashes of banned websites by the Bundesprüfstelle für jugendgefährdende Medien (BPjM) — Germany’s Federal Department for Media Harmful to Young Persons — and put the list of URLs online. The list is used by the government department to enable ISPs and parents to ban pornographic, violent and racist websites.
The content of the list is supposed to be a secret and service providers block the sites by feeding the hashes into a binary blob that evalutes if a URL should be blocked or not. Such a function can be enabled on AVM’s Fritzbox routers, for example.
The hackers had compared the hashes with URLs on known blacklists and subsequently brute forced them with Hashcat, a tool designed to crack cryptographic hashes. They claim to have cracked 3280 MD5 and 2889 SHA1 hashes so far. Only 50 to 60 percent of the blocked sites are supposed to be still online.