How I could've accessed personal details of tens of thousands of people

This is a security issue I found in one of the company that work in different fields. They make different type of electronic equipments as well as offers the public an easy way to enroll and avail benefits of different Govt Schemes. Let's say the company name is XYZ and the domain is xyz.com.

They provide people a way to enroll to various govt services with their service centres, like a govt agency and public can register/ apply for any kind of govt services, schemes, etc. They're also an authorized service provider of a Govt Scheme by a state govt.





I was checking the functionalities in their website and noticed a login url under /admin. I visited /admin/login.php and saw a Login page.
I tried 5-10 different user:pass combinations and none of them worked. I then decided to try sqli in the login form. Like most of the PHP sites created by noooobs, this site is also vulnerable to sqli in login form.

I got access to the admin panel, I saw scanned copies of ID cards, PAN cards, Aadhar Cards, etc and also email, mobile and other details of tens of thousands of people.








Steps taken

They don't have any VDP or BBP. I contacted them via email and got no response from them within 14 days.

I threatened them that if they won't fix it in 2 weeks, I will wipe out their database as they don't have any right to leak public's sensitive information.





This time, they fixed the vulnerability in 10 days but didn't reply to my mail.

Comments

Popular posts from this blog

Taking over Facebook Page Tabs

Send request to Martians. Earthlings are already your friends.

Hands On training | Google XSS Game