[OWASP-Bangalore] [BCB] [Open Discussion] Security Breach -- What to do !

Rajiv Vishwa rajivvishwa at gmail.com
Tue Feb 17 01:48:49 EST 2009


Hi

Its high time that the vulnerability is disclosed to public forums so that
the vendors/site developers are forced to fix it.

Please go ahead and submit at sites like xssed.com<http://www.xssed.com/submit>
,cert.org <https://forms.cert.org/VulReport/> etc.

Fyi, statement of Xssed in submission page

"Submit cross-site scripting vulnerabilities using the form below (HTTP
response splitting, frame redirect and other vulnerabilities that can be
exploited against users are also allowed).
Note: Script insertion vulnerabilities, which can lead to cross-site
scripting, can also be used to damage the site by blocking its visual
access, note that it could represent a crime in many countries and we do not
support this action. *Once the mirror has been validated and published, you
should contact the webmasters of the affected web site and help them to fix
the flaw.*"


Statement of Cert in the submission page

"We accept reports of security vulnerabilities and serve as a coordinating
body that works with affected vendors to resolve vulnerabilities. If you
believe you have found a security
vulnerability<https://forms.cert.org/VulReport/vrf_instructions.jsp#vulnerabilities>
that
has not been resolved, please complete the following form. As our vulnerability
disclosure policy <http://www.cert.org/kb/vul_disclosure.html> explains, we
send information submitted in vulnerability reports to affected vendors. By
default, we will share your name with vendors and publicly acknowledge you
in documents we publish. If you do not want us to share your name or
publicly acknowledge you, select the appropriate responses below."

Go ahead and submit, as a precaution send the disclosed info to the vendor.
There is nothing illegal unless you exploit the vulnerability.

Please check this link to know about Full
Disclosure<http://en.wikipedia.org/wiki/Full_disclosure>
 concept.

Regards,
Rajiv Vishwa
Application Security Consultant


On Mon, Feb 16, 2009 at 10:33 PM, Raxit Sheth <raxitsheth2000 at gmail.com>wrote:

>   Hi Dinesh
>
> interesting discussion , forwarding to various relavant groups.
>
> Ok ! So context is... you have found some security loophole in XYZ site,
> you
> inform the concerned company that there is critical loophole, which can
> breach security/privacy or both. [Please note, these sites are having
> thousands of active users !].
>
> Now there are few possibilities....after disclosing technical details to
> concerned site....
>
> 1. Ex. Like Myntra.... They were get back to us, fixed within few days.
> After that disclosed publically, there was some critical bug !
>
> Note : check this url for further info.
> http://www.pluggd.in/wtf/myntra-invoice-hack-3409/
>
> Good. Atleast site owner has taken the steps to protect their user data !
>
> 2.
>
> However i had talk with copule of folks, who has reported some critical
> security breach to some Big Guys (or Small guys ! not matter !). Now these
> site owners are falling into this category, they are not listening. Their
> sites are up for security/privacy breach. Even after informing to them, and
> waiting for 5-6 days or 2 week, they are not even caring to even reply Nor
> they are fixing it ! What do you think, what should be done ? Assume, Site
> is still open for hack what should one do ?
>
> Any IT-Act in place ?
>
> Should report to CERT-India ?
>
> Cybercrime (normally i found cybercrime is active when anyone reports any
> online harrasment or lottery fraud. but not for Application or site is up
> for hack]
>
> Or Should publish to blog, and disclose everything to public without caring
> all that legal issues ?
>
> Or Any other thoughts ????
>
> *We love Mumbai*
>
> -Raxit Sheth
> www.m4mum.com
> www.mykavita.com
>
> ---------- Forwarded message ----------
> From: Dinesh O'Bareja <dineshbareja at gmail.com <dineshbareja%40gmail.com>>
> Date: Mon, Feb 16, 2009 at 8:07 PM
> Subject: Re: [Owasp-Mumbai] Hacking Matrimonial site.
> To: r4y <secureas at gmail.com <secureas%40gmail.com>>
> Cc: raxit sheth <raxit at m4mum.com <raxit%40m4mum.com>>,
> owasp-mumbai at lists.owasp.org <owasp-mumbai%40lists.owasp.org>
>
> How about including this discussion (khullam khulla) as an agenda item
> in the next meet ?
>
> It willgive me some more real stuff for my blog !! And maybe a case
> study on the pathetic attitude of the "big guys" towards private
> information.
>
> On 2/16/09, r4y <secureas at gmail.com <secureas%40gmail.com>> wrote:
> > I actually notified once a matromonial site of a flaw that gave complete
> > access to all user data (as the owner of the profile) incl rights to
> change
> > picture, profile content, contact memebers etc. i.e. full user access.
> > No need to craft URL or XSS in this case.. simple Session ID manipulation
> > ;-)
> >
> > I reported it to them and followed up every month for 6 months with the
> > standard response:
> > "Our databse is secure" - lol
> >
> > Then I noticed a press release about receiving funding from a very well
> > known company, USD 9 million and i was wondering "here is a great example
> of
> > a broken business model due to technology!
> > So i emailed the CEO, this time i got a better response and they fixed
> the
> > flaw after 2 whole months.
> >
> > However the fix is still broken!! This time if u spend a bit more time
> doing
> > cryptanalysis u can actually recover the user password!! However i havent
> > bothered spending my time doing this (at least not for free anyway!)
> >
> > Anyway, perhaps something we can talk about in private if interested i
> can
> > share the details ;-)
> >
> >
> > 2009/2/14 raxit sheth <raxit at m4mum.com <raxit%40m4mum.com>>
> >
> >> Hi Chintan
> >>
> >> Already informed to them. ! That's why name and exact details i have not
> >> disclosed, hope they will fix it soon.
> >>
> >> -raxit sheth
> >> www.m4mum.com
> >>
> >>
> >> On Sat, Feb 14, 2009 at 8:44 AM, chintan dave
> >> <davechintan at gmail.com <davechintan%40gmail.com>>wrote:
> >>
> >>> Dear Raxit,
> >>> Its great that you found an xss flaw with some leading matrimonial
> site.
> >>>
> >>> Why don't you write an advisory and bring it to the owner's attention ?
> >>> How does that sound?
> >>>
> >>> I guess most the experts around would appreciate that !
> >>>
> >>> On Sat, Feb 14, 2009 at 3:36 AM, raxit sheth <raxit at m4mum.com<raxit%40m4mum.com>>
> wrote:
> >>>
> >>>> Hi Hacker !
> >>>>
> >>>>
> >>>> just in lazy time, i am successfully find and Exploit, XSS on Leading
> >>>> Matrimonial site !
> >>>>
> >>>> What it is doing (Exploit)
> >>>>
> >>>> 1. I am sending Classic Membership URL as Free Valentine day offer to
> >>>> find your Life partner !. [This is the trick to send Specially Crafted
> >>>> ur!,
> >>>> please note it is not dummy site, or url of my website. it is
> >>>> matrimonial
> >>>> website only... where i am able to find XSS !!!]
> >>>>
> >>>> 2. User is going to matrimonial site using the url to grab
> >>>>
> >>>> 3. Enter their id,pwd.
> >>>>
> >>>> 4. Id,Pwd will be E-mail to Me :) [Without enduser is knowing !!! :)
> ]
> >>>>
> >>>> 5. I am redirecting the user to login again !
> >>>>
> >>>>
> >>>> Do you want to grab the Valentine offer ???
> >>>>
> >>>>
> >>>> Happy Hacking :)
> >>>>
> >>>> -Raxit Sheth
> >>>> www.m4mum.com
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Mumbai mailing list
> >>>> OWASP-Mumbai at lists.owasp.org <OWASP-Mumbai%40lists.owasp.org>
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Regards,
> >>> Chintan Dave,
> >>> KPMG Singapore
> >>> LinkedIn Profile: http://www.linkedin.com/in/chintandave
> >>> Blog:http://davechintan.blogspot.com
> >>>
> >>> _______________________________________________
> >>> OWASP-Mumbai mailing list
> >>> OWASP-Mumbai at lists.owasp.org <OWASP-Mumbai%40lists.owasp.org>
> >>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
> >>>
> >>>
> >>
> >> _______________________________________________
> >> OWASP-Mumbai mailing list
> >> OWASP-Mumbai at lists.owasp.org <OWASP-Mumbai%40lists.owasp.org>
> >> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
> >>
> >>
> >
>
> [Non-text portions of this message have been removed]
>
>  __._,_.___
>   Messages in this topic
> <http://groups.yahoo.com/group/bangalore_barcamp/message/5309;_ylc=X3oDMTM1aGVvNGVvBF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARtc2dJZAM1MzA5BHNlYwNmdHIEc2xrA3Z0cGMEc3RpbWUDMTIzNDgwMzgxNAR0cGNJZAM1MzA5>(
> 1)  Reply (via web post)
> <http://groups.yahoo.com/group/bangalore_barcamp/post;_ylc=X3oDMTJxY25pdmg1BF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARtc2dJZAM1MzA5BHNlYwNmdHIEc2xrA3JwbHkEc3RpbWUDMTIzNDgwMzgxNA--?act=reply&messageNum=5309>| Start
> a new topic
> <http://groups.yahoo.com/group/bangalore_barcamp/post;_ylc=X3oDMTJmdGxmdTluBF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDZnRyBHNsawNudHBjBHN0aW1lAzEyMzQ4MDM4MTQ->
>  Messages<http://groups.yahoo.com/group/bangalore_barcamp/messages;_ylc=X3oDMTJmNWk2ZmE1BF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDZnRyBHNsawNtc2dzBHN0aW1lAzEyMzQ4MDM4MTQ->|
> Members<http://groups.yahoo.com/group/bangalore_barcamp/members;_ylc=X3oDMTJmdG9kM3A0BF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDZnRyBHNsawNtYnJzBHN0aW1lAzEyMzQ4MDM4MTQ->
>  http://barcampbangalore.org/
>  MARKETPLACE
>  ------------------------------
> From kitchen basics to easy recipes - join the Group from Kraft Foods
> <http://us.ard.yahoo.com/SIG=13rtehvu9/M=493064.12016295.13271503.10835568/D=groups/S=1705375618:MKP1/Y=YAHOO/EXP=1234811014/L=/B=wgdtIkPDhEE-/J=1234803814905821/A=5530388/R=0/SIG=11nuutlas/*http://explore.yahoo.com/groups/kraftmealsmadesimple/>
>   [image: Yahoo! Groups]<http://groups.yahoo.com/;_ylc=X3oDMTJldXVjMjZiBF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTIzNDgwMzgxNA-->
> Change settings via the Web<http://groups.yahoo.com/group/bangalore_barcamp/join;_ylc=X3oDMTJndTRiOHYxBF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDZnRyBHNsawNzdG5ncwRzdGltZQMxMjM0ODAzODE0>(Yahoo! ID required)
> Change settings via email: Switch delivery to Daily Digest<bangalore_barcamp-digest at yahoogroups.com?subject=Email+Delivery:+Digest>| Switch
> format to Traditional<bangalore_barcamp-traditional at yahoogroups.com?subject=Change+Delivery+Format:+Traditional>
>  Visit Your Group
> <http://groups.yahoo.com/group/bangalore_barcamp;_ylc=X3oDMTJlNHZnamo4BF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDZnRyBHNsawNocGYEc3RpbWUDMTIzNDgwMzgxNA-->| Yahoo!
> Groups Terms of Use <http://docs.yahoo.com/info/terms/> | Unsubscribe
> <bangalore_barcamp-unsubscribe at yahoogroups.com?subject=>
>    Recent Activity
>
>    -  13
>    New Members<http://groups.yahoo.com/group/bangalore_barcamp/members;_ylc=X3oDMTJncjViam5sBF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDdnRsBHNsawN2bWJycwRzdGltZQMxMjM0ODAzODE0>
>
>  Visit Your Group
> <http://groups.yahoo.com/group/bangalore_barcamp;_ylc=X3oDMTJmdHU2dGc0BF9TAzk3MzU5NzE0BGdycElkAzE3NDU3NjEzBGdycHNwSWQDMTcwNTM3NTYxOARzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzEyMzQ4MDM4MTQ->
>   Need traffic?
>
> Drive customers<http://us.ard.yahoo.com/SIG=13ocm0iau/M=493064.12016308.12445700.8674578/D=groups/S=1705375618:NC/Y=YAHOO/EXP=1234811014/L=/B=wwdtIkPDhEE-/J=1234803814905821/A=3848644/R=0/SIG=131l83flq/*http://searchmarketing.yahoo.com/arp/srchv2.php?o=US2006&cmp=Yahoo&ctv=Groups5&s=Y&s2=&s3=&b=50>
>
> With search ads
>
> on Yahoo!
>  Y! Messenger
>
> Want a quick chat?<http://us.ard.yahoo.com/SIG=13ofjfnom/M=493064.12016274.12445679.8674578/D=groups/S=1705375618:NC/Y=YAHOO/EXP=1234811014/L=/B=xAdtIkPDhEE-/J=1234803814905821/A=3848583/R=0/SIG=11umg3fun/*http://us.rd.yahoo.com/evt=42403/*http://messenger.yahoo.com>
>
> Chat over IM with
>
> group members.
>  Get in Shape
>
> on Yahoo! Groups<http://us.ard.yahoo.com/SIG=13ps1d4sa/M=493064.12016300.12445692.11323196/D=groups/S=1705375618:NC/Y=YAHOO/EXP=1234811014/L=/B=xQdtIkPDhEE-/J=1234803814905821/A=5170417/R=0/SIG=11b5gu1oe/*http://new.groups.yahoo.com/specialKgroup>
>
> Find a buddy
>
> and lose weight.
>   .
>
> __,_._,___
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20090217/14fee0cb/attachment-0001.html 


More information about the OWASP-Bangalore mailing list