How I could've accessed personal details of tens of thousands of people

-
This is a security issue I found in one of the company that work in different fields. They make different type of electronic equipments as well as offers the public an easy way to enroll and avail benefits of different Govt Schemes. Let's say the company name is XYZ and the domain is xyz.com.

 They provide people a way to enroll to various govt services with their service centres, like a govt agency and public can register/ apply for any kind of govt services, schemes, etc. They're also an authorized service provider of a Govt Scheme by a state govt.





 I was checking the functionalities in their website and noticed a login url under /admin. I visited /admin/login.php and saw a Login page.
I tried 5-10 different user:pass combinations and none of them worked. I then decided to try sqli in the login form. Like most of the PHP sites created by noooobs, this site is also vulnerable to sqli in login form.

 I got access to the admin panel, I saw scanned copies of ID cards, PAN cards, Aadhar Cards, etc and also email, mobile and other details of tens of thousands of people.

Steps taken

They don't have any VDP or BBP. I contacted them via email and got no response from them within 14 days.

 I threatened them that if they won't fix it in 2 weeks, I will wipe out their database as they don't have any right to leak public's sensitive information.





 This time, they fixed the vulnerability in 10 days but didn't reply to my mail.

Comments

Post a Comment

Popular posts from this blog

Taking over Facebook Page Tabs

-
Image
In this post, I'm describing how I was able to take over 4 tabs on Facebook's own Pages. 1. Facebook India Ambassadors I was browsing Facebook as usual and not in a mood to test anything. I then visited Facebook India's page to check is there any update from Facebook India and that's when I noticed a page tab Facebook India Ambassadors . I clicked on it to see Facebook India's Brand Ambassadors and the tab showed a heroku error page. I was surprised to see that there. It looked interesting to me so I decided to dig further. I found out that it loads a third party website in an iframe in main section. The url was  http://immense-atoll-4159.herokuapp.com/  and I visited the url directly to verify that the subdomain doesn't exist. Heroku shows a does not exist error page if the subdomain doesn't exist. So I logged into my Heroku account and created a new project and give immense-atoll-4159  as project id. Then I created a simple NodeJS Script for
Read more

Send request to Martians. Earthlings are already your friends.

-
Image
Hello everyone, I'm back with another write up. This time it's a Google bug. YouTube is Google's video sharing site and a great place to explore. As a bug hunter, you can spend hours or days or even weeks in YouTube without hesitation. I always used YouTube to play some music when I worked as a developer last year. When I started bug hunting, I tried YouTube multiple times and can't find any. Then I started hunting on another google services. After hunting for more than 2 hours, I found a bug on one of Google's acquisition. According to  Google , a video PoC is required only if it is contributing something that the text can't. But I'm a great fan of videos and my first bug to google (duplicate) contained a 15min video 😎. I recorded a video of that bug I found and visited YouTube to upload it. when I clicked upload button, I noticed something strange aside it, something new. It looked like a message button. But then, the upload page has loaded
Read more