[OWASP-Bangalore] [Open Discussion] Security Breach -- What to do !
raxitsheth2000 at gmail.com
Mon Feb 16 12:03:32 EST 2009
interesting discussion , forwarding to various relavant groups.
Ok ! So context is... you have found some security loophole in XYZ site, you
inform the concerned company that there is critical loophole, which can
breach security/privacy or both. [Please note, these sites are having
thousands of active users !].
Now there are few possibilities....after disclosing technical details to
1. Ex. Like Myntra.... They were get back to us, fixed within few days.
After that disclosed publically, there was some critical bug !
Note : check this url for further info.
Good. Atleast site owner has taken the steps to protect their user data !
However i had talk with copule of folks, who has reported some critical
security breach to some Big Guys (or Small guys ! not matter !). Now these
site owners are falling into this category, they are not listening. Their
sites are up for security/privacy breach. Even after informing to them, and
waiting for 5-6 days or 2 week, they are not even caring to even reply Nor
they are fixing it ! What do you think, what should be done ? Assume, Site
is still open for hack what should one do ?
Any IT-Act in place ?
Should report to CERT-India ?
Cybercrime (normally i found cybercrime is active when anyone reports any
online harrasment or lottery fraud. but not for Application or site is up
Or Should publish to blog, and disclose everything to public without caring
all that legal issues ?
Or Any other thoughts ????
*We love Mumbai*
---------- Forwarded message ----------
From: Dinesh O'Bareja <dineshbareja at gmail.com>
Date: Mon, Feb 16, 2009 at 8:07 PM
Subject: Re: [Owasp-Mumbai] Hacking Matrimonial site.
To: r4y <secureas at gmail.com>
Cc: raxit sheth <raxit at m4mum.com>, owasp-mumbai at lists.owasp.org
How about including this discussion (khullam khulla) as an agenda item
in the next meet ?
It willgive me some more real stuff for my blog !! And maybe a case
study on the pathetic attitude of the "big guys" towards private
On 2/16/09, r4y <secureas at gmail.com> wrote:
> I actually notified once a matromonial site of a flaw that gave complete
> access to all user data (as the owner of the profile) incl rights to
> picture, profile content, contact memebers etc. i.e. full user access.
> No need to craft URL or XSS in this case.. simple Session ID manipulation
> I reported it to them and followed up every month for 6 months with the
> standard response:
> "Our databse is secure" - lol
> Then I noticed a press release about receiving funding from a very well
> known company, USD 9 million and i was wondering "here is a great example
> a broken business model due to technology!
> So i emailed the CEO, this time i got a better response and they fixed the
> flaw after 2 whole months.
> However the fix is still broken!! This time if u spend a bit more time
> cryptanalysis u can actually recover the user password!! However i havent
> bothered spending my time doing this (at least not for free anyway!)
> Anyway, perhaps something we can talk about in private if interested i can
> share the details ;-)
> 2009/2/14 raxit sheth <raxit at m4mum.com>
>> Hi Chintan
>> Already informed to them. ! That's why name and exact details i have not
>> disclosed, hope they will fix it soon.
>> -raxit sheth
>> On Sat, Feb 14, 2009 at 8:44 AM, chintan dave
>> <davechintan at gmail.com>wrote:
>>> Dear Raxit,
>>> Its great that you found an xss flaw with some leading matrimonial site.
>>> Why don't you write an advisory and bring it to the owner's attention ?
>>> How does that sound?
>>> I guess most the experts around would appreciate that !
>>> On Sat, Feb 14, 2009 at 3:36 AM, raxit sheth <raxit at m4mum.com> wrote:
>>>> Hi Hacker !
>>>> just in lazy time, i am successfully find and Exploit, XSS on Leading
>>>> Matrimonial site !
>>>> What it is doing (Exploit)
>>>> 1. I am sending Classic Membership URL as Free Valentine day offer to
>>>> find your Life partner !. [This is the trick to send Specially Crafted
>>>> please note it is not dummy site, or url of my website. it is
>>>> website only... where i am able to find XSS !!!]
>>>> 2. User is going to matrimonial site using the url to grab
>>>> 3. Enter their id,pwd.
>>>> 4. Id,Pwd will be E-mail to Me :) [Without enduser is knowing !!! :)
>>>> 5. I am redirecting the user to login again !
>>>> Do you want to grab the Valentine offer ???
>>>> Happy Hacking :)
>>>> -Raxit Sheth
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>> Chintan Dave,
>>> KPMG Singapore
>>> LinkedIn Profile: http://www.linkedin.com/in/chintandave
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>> OWASP-Mumbai mailing list
>> OWASP-Mumbai at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Bangalore