[OWASP-Bangalore] [Open Discussion] Security Breach -- What to do !

Raxit Sheth raxitsheth2000 at gmail.com
Mon Feb 16 12:03:32 EST 2009


Hi  Dinesh

interesting discussion , forwarding to various relavant groups.



Ok ! So context is... you have found some security loophole in XYZ site, you
inform the concerned company that there is critical loophole, which can
breach security/privacy or both. [Please note, these sites are having
thousands of active users !].

Now there are few possibilities....after disclosing technical details to
concerned site....

1.  Ex. Like Myntra.... They were get back to us, fixed within few days.
After that disclosed publically, there was some critical bug !

Note :  check this url for further info.
http://www.pluggd.in/wtf/myntra-invoice-hack-3409/

Good. Atleast site owner has taken the steps to protect their user data !

2.

However i had talk with copule of folks, who has reported some critical
security breach to some Big Guys (or Small guys ! not matter !).  Now  these
site owners are falling into this category, they are not listening. Their
sites are up for security/privacy breach.  Even after informing to them, and
waiting for 5-6 days or 2 week, they are not even caring to even reply Nor
they are fixing it ! What do you think, what should be done ? Assume,  Site
is still open for hack what should one do ?

Any IT-Act in place  ?


Should report to  CERT-India ?


Cybercrime (normally i found cybercrime is active when anyone reports any
online harrasment or lottery fraud. but not for Application or site is  up
for hack]


Or Should publish to blog, and disclose everything to public without caring
all that legal issues ?


Or Any other thoughts ????



*We love Mumbai*


-Raxit Sheth
www.m4mum.com
www.mykavita.com






---------- Forwarded message ----------
From: Dinesh O'Bareja <dineshbareja at gmail.com>
Date: Mon, Feb 16, 2009 at 8:07 PM
Subject: Re: [Owasp-Mumbai] Hacking Matrimonial site.
To: r4y <secureas at gmail.com>
Cc: raxit sheth <raxit at m4mum.com>, owasp-mumbai at lists.owasp.org


How about including this discussion (khullam khulla) as an agenda item
in the next meet ?

It willgive me some more real stuff for my blog !! And maybe a case
study on the pathetic attitude of the "big guys" towards private
information.



On 2/16/09, r4y <secureas at gmail.com> wrote:
> I actually notified once a matromonial site of a flaw that gave complete
> access to all user data (as the owner of the profile) incl rights to
change
> picture, profile content, contact memebers etc. i.e. full user access.
> No need to craft URL or XSS in this case.. simple Session ID manipulation
> ;-)
>
> I reported it to them and followed up every month for 6  months with the
> standard response:
> "Our databse is secure" - lol
>
> Then I noticed a press release about receiving funding from a very well
> known company, USD 9 million and i was wondering "here is a great example
of
> a broken business model due to technology!
> So i emailed the CEO, this time i got a better response and they fixed the
> flaw after 2 whole months.
>
> However the fix is still broken!! This time if u spend a bit more time
doing
> cryptanalysis u can actually recover the user password!! However i havent
> bothered spending my time doing this (at least not for free anyway!)
>
> Anyway, perhaps something we can talk about in private if interested i can
> share the details ;-)
>
>
> 2009/2/14 raxit sheth <raxit at m4mum.com>
>
>> Hi Chintan
>>
>> Already informed to them. ! That's why name and exact details i have not
>> disclosed, hope they will fix it soon.
>>
>> -raxit sheth
>> www.m4mum.com
>>
>>
>> On Sat, Feb 14, 2009 at 8:44 AM, chintan dave
>> <davechintan at gmail.com>wrote:
>>
>>> Dear Raxit,
>>> Its great that you found an xss flaw with some leading matrimonial site.
>>>
>>> Why don't you write an advisory and bring it to the owner's attention ?
>>> How does that sound?
>>>
>>> I guess most the experts around would appreciate that !
>>>
>>> On Sat, Feb 14, 2009 at 3:36 AM, raxit sheth <raxit at m4mum.com> wrote:
>>>
>>>>  Hi Hacker !
>>>>
>>>>
>>>> just in lazy time, i am successfully find and Exploit, XSS on Leading
>>>> Matrimonial site !
>>>>
>>>> What it is doing (Exploit)
>>>>
>>>> 1.  I am sending Classic Membership URL as Free Valentine day offer to
>>>> find your Life partner !.  [This is the trick to send Specially Crafted
>>>> ur!,
>>>> please note it is not dummy site, or url of my website. it is
>>>> matrimonial
>>>> website only... where i am able to find XSS !!!]
>>>>
>>>> 2.  User is going to matrimonial site using the url to grab
>>>>
>>>> 3.  Enter their id,pwd.
>>>>
>>>> 4.  Id,Pwd will be E-mail to Me :)  [Without enduser is knowing !!! :)
]
>>>>
>>>> 5.  I am redirecting the user to login again !
>>>>
>>>>
>>>> Do you want to grab  the Valentine offer ???
>>>>
>>>>
>>>> Happy Hacking :)
>>>>
>>>> -Raxit Sheth
>>>> www.m4mum.com
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Chintan Dave,
>>> KPMG Singapore
>>> LinkedIn Profile: http://www.linkedin.com/in/chintandave
>>> Blog:http://davechintan.blogspot.com
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Mumbai mailing list
>> OWASP-Mumbai at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090216/20d381dd/attachment.html 


More information about the OWASP-Bangalore mailing list