Re: Hacking Matrimonial site. --- Check How to and Video on Youtube.
7,723 views
Skip to first unread message
Raxit Sheth
May 11, 2009, 3:14:39 PM5/11/09
to owasp-...@lists.owasp.org, BarCampMumbai2, BarcampAhmedabad, barcam...@googlegroups.com, bangalor...@yahoogroups.com
Hey Hackers and BarCampers.
http://www.youtube.com/watch?v=QWsZc3LorUw BharatMatrimony.com Hack
Few days (months, it was Feb !) back i posted below E-mail, that India's Leading matrimonial website (not revealing the name it was BharatMatriony.com !) having Security loophole, on their login page. !
BM has having 1.5 crore + members. (source Bharatmatrimony.com --> about us). Finally uploading the Video (i have captured the videos when Site was open with security loophole.)
BM has not approached since many days, nor they have taken care to revert, However more importantly seems like the reported issue is fixed, and i think its good to put "How it was done"
with hope you find it interesting, and may prevent such mistake in your website. :)
Funny Enough, it was Valentine day, i was supposed to go to Y! hackday but can't due to some time conflicts....and
i was searching my (would be )life partner, but find bug :) Poor Me :(
Cheers and Happy Hacking :)
-Raxit Sheth
http://www.youtube.com/watch?v=QWsZc3LorUw BharatMatrimony.com Hack
Few days (months, it was Feb !) back i posted below E-mail, that India's Leading matrimonial website (not revealing the name it was BharatMatriony.com !) having Security loophole, on their login page. !
BM has having 1.5 crore + members. (source Bharatmatrimony.com --> about us). Finally uploading the Video (i have captured the videos when Site was open with security loophole.)
BM has not approached since many days, nor they have taken care to revert, However more importantly seems like the reported issue is fixed, and i think its good to put "How it was done"
with hope you find it interesting, and may prevent such mistake in your website. :)
Funny Enough, it was Valentine day, i was supposed to go to Y! hackday but can't due to some time conflicts....and
i was searching my (would be )life partner, but find bug :) Poor Me :(
Cheers and Happy Hacking :)
-Raxit Sheth
On Sat, Feb 14, 2009 at 2:58 AM, gorakshnath dorge <gorak...@gmail.com> wrote:
Hi,Can you prepare demo for this ? with screen shot , or recorded video,we really want to see this..-ThanksGorakshnathOn Fri, Feb 13, 2009 at 12:36 PM, raxit sheth <ra...@m4mum.com> wrote:
Hi Hacker !
just in lazy time, i am successfully find and Exploit, XSS on Leading Matrimonial site !
What it is doing (Exploit)
1. I am sending Classic Membership URL as Free Valentine day offer to find your Life partner !. [This is the trick to send Specially Crafted ur!, please note it is not dummy site, or url of my website. it is matrimonial website only... where i am able to find XSS !!!]
2. User is going to matrimonial site using the url to grab
3. Enter their id,pwd.
4. Id,Pwd will be E-mail to Me :) [Without enduser is knowing !!! :) ]
5. I am redirecting the user to login again !
Do you want to grab the Valentine offer ???
Happy Hacking :)
-Raxit Sheth
www.m4mum.com
_______________________________________________
OWASP-Mumbai mailing list
OWASP-...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-mumbai
Amit Gupta
May 11, 2009, 3:58:08 PM5/11/09
to barcam...@googlegroups.com
Its not surprising that big portals like these have such people in employ who don't know anything about security & such are their supervisors! This same kind of security hole was in Indiatimes Shopping portal too 4 years back which was reported first by a fellow blogger & about which I wrote later. First Indiatimes didn't pay any attention & when my blog post came up towards top in SERPs then I was contacted by a guy from times group. They fixed the hole few days after that, eh!!
--
My online profile @ http://me.amitgupta.in/
निज भाषा उन्नति अहै, सब उन्नति को मूल
बिन निज भाषा-ज्ञान के, मिटत न हिय को सूल । -- भारतेन्दु हरिश्चन्द्र
--
My online profile @ http://me.amitgupta.in/
निज भाषा उन्नति अहै, सब उन्नति को मूल
बिन निज भाषा-ज्ञान के, मिटत न हिय को सूल । -- भारतेन्दु हरिश्चन्द्र
dutta.navin
May 12, 2009, 2:20:41 AM5/12/09
to barcam...@googlegroups.com
It is shocking to see how carefree these guys are. I remember around 3-4 four years back I reported some bugs at some well-known univ portals(yes portals... not just one portal) where they host, monitor, and admin university results and admission details/ It was so vulnerable that by using some XSS and SQL injection the results could be manipulated. Despite bringing it to their attention no action was taken and it was unresolved for ages!
I remember Wipro's corporate connection portal's security was horribly weak. The admin password was something so strong logitech. The top middle management focuses more on getting the work done cheap. To spice the curry, anything brought to their attention is taken casually.
I hope this changes someday!--
Navin Dutta
(+91 9999 008 927)
www.navindutta.com
I remember Wipro's corporate connection portal's security was horribly weak. The admin password was something so strong logitech. The top middle management focuses more on getting the work done cheap. To spice the curry, anything brought to their attention is taken casually.
I hope this changes someday!
Navin Dutta
(+91 9999 008 927)
www.navindutta.com
Ron Upad
Jun 14, 2009, 2:57:21 PM6/14/09
to barcampdelhi
I am probably the ignorant one here but educate me a little bit.
I understand that allowing random client-side scripts to run might
potentially allow bad things but the "hack" shown above requires that
the user go to a particular URL instead of that provided by BM
(admittedly in the same domain).
so, the chances that anybody exploit it are rather low. I mean, its
not like we got access to their database and are stealing passwords ?
Are we?
Tarun
On May 11, 3:14 pm, Raxit Sheth <raxitsheth2...@gmail.com> wrote:
> Hey Hackers and BarCampers.
>
> http://www.youtube.com/watch?v=QWsZc3LorUw BharatMatrimony.com Hack
>
> Few days (months, it was Feb !) back i posted below E-mail, that India's
> Leading matrimonial website (not revealing the name it was
> BharatMatriony.com !) having Security loophole, on their login page. !
>
> BM has having 1.5 crore + members. (source Bharatmatrimony.com --> about
> us). Finally uploading the Video (i have captured the videos when Site was
> open with security loophole.)
>
> BM has not approached since many days, nor they have taken care to revert,
> However more importantly seems like the reported issue is fixed, and i think
> its good to put "How it was done"
>
> with hope you find it interesting, and may prevent such mistake in your
> website. :)
>
> Funny Enough, it was Valentine day, i was supposed to go to Y! hackday but
> can't due to some time conflicts....and
> i was searching my (would be )life partner, but find bug :) Poor Me :(
>
> Cheers and Happy Hacking :)
>
> -Raxit Sheth
>
> >> OWASP-Mum...@lists.owasp.org
> >>https://lists.owasp.org/mailman/listinfo/owasp-mumbai
I understand that allowing random client-side scripts to run might
potentially allow bad things but the "hack" shown above requires that
the user go to a particular URL instead of that provided by BM
(admittedly in the same domain).
so, the chances that anybody exploit it are rather low. I mean, its
not like we got access to their database and are stealing passwords ?
Are we?
Tarun
On May 11, 3:14 pm, Raxit Sheth <raxitsheth2...@gmail.com> wrote:
> Hey Hackers and BarCampers.
>
> http://www.youtube.com/watch?v=QWsZc3LorUw BharatMatrimony.com Hack
>
> Few days (months, it was Feb !) back i posted below E-mail, that India's
> Leading matrimonial website (not revealing the name it was
> BharatMatriony.com !) having Security loophole, on their login page. !
>
> BM has having 1.5 crore + members. (source Bharatmatrimony.com --> about
> us). Finally uploading the Video (i have captured the videos when Site was
> open with security loophole.)
>
> BM has not approached since many days, nor they have taken care to revert,
> However more importantly seems like the reported issue is fixed, and i think
> its good to put "How it was done"
>
> with hope you find it interesting, and may prevent such mistake in your
> website. :)
>
> Funny Enough, it was Valentine day, i was supposed to go to Y! hackday but
> can't due to some time conflicts....and
> i was searching my (would be )life partner, but find bug :) Poor Me :(
>
> Cheers and Happy Hacking :)
>
> -Raxit Sheth
>
> >>https://lists.owasp.org/mailman/listinfo/owasp-mumbai
Amit Gupta
Jun 14, 2009, 4:57:02 PM6/14/09
to barcam...@googlegroups.com
On Mon, Jun 15, 2009 at 12:27 AM, Ron Upad <ta...@tarunupadhyay.com> wrote:
I am probably the ignorant one here but educate me a little bit.
I understand that allowing random client-side scripts to run might
potentially allow bad things but the "hack" shown above requires that
the user go to a particular URL instead of that provided by BM
(admittedly in the same domain).
so, the chances that anybody exploit it are rather low. I mean, its
not like we got access to their database and are stealing passwords ?
Are we?
Yes you can steal passwords as phishing is one of the major motivations behind XSS attacks. The sign in link on the page can be configured to open an in page dialogue box which will appear kinda legitimate & will then send the user info of the victim to phisher's server via ajax. The other content of the page can also be replaced by anything else using Javascript.
Basically, in a nutshell, this kind of security hole means the website is given to any exploiter kind of a free hand, the exploiter can run a shoe selling website using the infected website's layout & design & domain if he/she so desires!!
raxitsh...@gmail.com
Jun 15, 2009, 12:47:17 AM6/15/09
to Amit Gupta, barcam...@googlegroups.com
Hey
Thanks !
User is never going to enter BM url with my javascript code. :)
Did you ever seen the E-mail campaign by BM ? In their official e-mail cmp, which type of url/html they are doing ? If you have seen, no need to tell you can do it easily :)
-Raxit Sheth
Thanks !
User is never going to enter BM url with my javascript code. :)
Did you ever seen the E-mail campaign by BM ? In their official e-mail cmp, which type of url/html they are doing ? If you have seen, no need to tell you can do it easily :)
-Raxit Sheth
Reply all
Reply to author
Forward
0 new messages