Posts

I am a customer of Eureka Forbes, and last year I was accessing their website for making a payment. I own an Aquaguard Water Purifier by them and wanted to pay for the yearly maintenance contract (AMC). For anything related to your account, you need to login via their website (https://www.eurekaforbes.com/). There is currently only 1 mechanism available for login – OTP Login. You provide your phone-number (registered with Eureka Forbes) and they send an SMS OTP to your phone. ...

Whenever I go on a trip I do the mandatory Check-in at Facebook, Twitter and Instagram, saying where I am going, who my travel-mates are, how many days I will be away and I post a picture of my Boarding-pass to prove it. I love doing it, its super cool for my friends and anyone who follow me! But sadly I am not aware of what an adversary can do with just my airplane boarding pass. ...

I am following an Instagram meme page with about 130K followers. These meme pages post ads sometimes when they get paid for them. One such ad said – “Get 10GB Data Everyday for Free for 3 Months – for Jio Prime Users”. Since I am a Jio user, I got curious to check this and was sure – this was some kind of fraud going on, and the ad was not by original Jio — they were using the name of Jio to milk their followers, since many of the users use Jio for their data connection. ...

TLDR: While ordering dinner for me, I came across a bug where I could login to anybody’s account and view their details (like name, email address, home address, order details). This issue was fixed on the same day of reporting to the concerned technical team. Let’s name the company FoodieExpress, which serves fast-food in their restaurants, allows take-away of food and does home-delivery of food (when ordered over call, mobile app or website). ...

Developers implement root-detection mechanism in Android to prevent users from using their app on a rooted phone. The app (apk) will implement different checks to determine whether the phone is rooted or not. Later, after this check, if the phone is rooted then the APK will display some message like: “This device is rooted, exiting the application” “This application will not work on rooted device, exiting!” And it will exit the application. ...

NSDL and UTI are two bodies under the Indian Government which are the official PAN Card service providers. Recently I had the privilege to take services for PAN Updation through UTI ITSL. After waiting for some time for the processing of my card, I went to the website of UTI-ITSL for checking the status. I entered the application number, and instantly got the status of my query. Cool! As a fuzzer, in the form-field for ‘Application Coupon Number’, I entered the next number (my application number + 1). And yes, it gave the results. Entered some more numbers in the sequence, got results for each query. I could get results for applications as early as 2011. This means that if someone runs a tiny script to scrape data of applicants for the last 8 years, they can easily get the details – Full name, PAN Number, Application Number. ...

You are using Instagram, right? And you might have kept your posts private, so that only your followers can view your posts. Yes, even I have ticked the option to allow only my followers to view my posts. That option works well if you are browsing through Instagram only. But what if you post your Instagram picture’s link like this: The post on your Instagram profile was limited only to your followers (maybe 150, 1500 or 150k), but now your tweet has made that picture available to millions of people who are on the Internet. Anybody can click on the link and see your picture. ...

RSYSLOG is the rocket-fast system for log processing. After syslog, now rsyslog comes pre-built with the Linux systems, meant for local and remote logging. In any system, you will want to: (a) Log the system and application logs on the local machine, and/or (b) Log the system and application logs to a remote machine Below given are 2 cases, useful for forwarding OS logs and application logs: Forwarding only OS logs Add the below given line at the bottom of the /etc/rsyslog.conf file, and later restart the rsyslog service: ...

Deep dive into SSL/TLS protocol implementation in browsers, explaining the handshake process, certificate validation, and what attackers can see during encrypted connections.

SQL Injection. At the top in the OWASP Top 10 List. I was going through some missions, and came across one with SQL Truncation vulnerability. It is an ignored vulnerability, and many have patched the vulnerability, but there are lots of websites which still have this vulnerability. Here I’m explaining you (ELI5) the basics of SQL Truncation and how the vulnerability is exploited. The Scenario Let’s take an example of a website where a user can register himself with a username and password, and later login with the same username-password combination. Let’s name this website pikachu.com. ...