ThinkDigit Site Hacked

Status
Not open for further replies.

victor_rambo

हॉर्न ओके प्लीज़
have you hacked any other site before?
or this is your first time?
:D....cannot tell this

I read ur comment on the blog. Thanks for ur concern, I have thought carefully before making that post. And frankly, I never expected that the exploit would work with this website. but it worked.........
 

Quiz_Master

* Teh Flirt King *
Cool dude.. Awesome..
And thanks for Alerting the admins.. Yes..Digit people needs to seriously consider this sites security..(Maybe they can hire u :D)

Though I tried to tell this on ur blog(As I am avoiding this forum these days) but couldnt comment cause of some technical difficulties.
 

gary4gar

GaurishSharma.com
:D....cannot tell this

I read ur comment on the blog. Thanks for ur concern, I have thought carefully before making that post. And frankly, I never expected that the exploit would work with this website. but it worked.........
whoa, you got lot of attention
wonder if its positive or negative publicity, please figure out :p


Regarding my Comment on your blog.
I suggested you because There is no harm taking some precautions.
Like, imagine if Digit report it to Enforcement agenies(Thank God, they are Not doing it)
they have enough proof against you
1) Your Ip address
2) Your Name
3) Your location
4) Your Photograph even
5) Your Blog post & this thread, openly confessing the act(A solid piece of evidence)

Even you motive was good, so you have chances of walking free but at minimum your name spoiled
Remember, Always Play extra Safe;)

In addition, You could contact Webmaster before the attack, and give a prior information(Read: Open challenge)
Now this way, You are Doing Ethically correct

Not all Organizations are Good as Digit. they are evil ones out there


Ps: I am not against ethical hacking. Just advocating safety measures
 
Last edited:

din

Tribal Boy
@rohan_shenoy

Really appreciate it, I mean you informed Digit about the vulnerability and didn't do anything bad. Nice of you.

What gary4gar mentioned is also very valid. You have done something good, but take care because it may go negative too.

Some other things related to this.

To be honest, not surprising or shocking. I remember reporting a major vulnerability (like without any hack we could see a lot of personal details of members) in Rediff 3 year back. The toughest thing was to get a contact number to inform them ! Had to google a lot at that time, finally found the phone number and told them. First they didn't believe, then they transferred it to their tech section and they called me back for details. But they could fix it within hrs. If Rediff is open to attacks, Thinkdigit will be for sure !

Main thing is - advantage (and disadvantage too) of PHP-Mysql is, anyone with a basic knowledge in programming can learn it very easily. May be 1 month is quite adequate. Once they know the basics, over confidence starts. They think programming is all what they learned in 1 month. They start coding and never think of any precautions that they should take.

Another thing is the multi-level outsourcing. One of my friends working in a famous Indian IT firm (do not want to name !), told me they outsource projects which they get from abroad( which they get as out sourced !). But the final product will be in their name. So the quality may not be the same. In big companies, coding is just one part, there will be team for multi level testing, debugging, security testing and a lot. But small companies or people who are new in the field, may not think of all those. They just start coding and once its done they deliver it.

Thing is these kinda people not only lose their credibility, but spoils the image of other Indian companies which are doing very good in the field :(

PS : @rohan_shenoy

There is some small bug in your blog's comment page. It is not javascript, something with PHP itself. I think there is a space or "echo" or some redirection set wrong in the file /home/mhtcet/public_html/w3hobbyist.com/admin/config.php . Even a blank line can cause it. The comments goes to db it seems but fails to load the next page (due to the header issue)

Offtopic : I guess w3hobbyist.com is a parked / add-on domain ? If so, I strongly recommend you to make it separate web space as it will do better with search engines ? Please ignore if it is not.
 

victor_rambo

हॉर्न ओके प्लीज़
@Gary
If its negative publicity, its for the Indus firm. The way they designed such as high-profile made them "deserve" such kind of publicity.


@Din,
If the firm has outsourced the services, it is still responsible for the mess because the services were sought from the "firm". It is not a case of reference of a freelancer from a firm. The firm is responsible for web design and programming.

EDIT: Din, since you are PHP-MySQL programmer, I think you will better understand the issue.
and yeah, that for those tips. It is an addon domain.
 

Faun

Wahahaha~!
Staff member
only if hey hav made it in ASP/JSP, it was a tad bit to crack the nuts.

I knew php is just a dirty fast way to create pages, and a noob can easily forget to make it hack proof.
 

din

Tribal Boy
@rohan_shenoy

You are 100% right. I mean the firm is fully responsible for it. I was no way justifying it. I was telling the reasons why the quality of programming / sites goes down sometimes.
 

praka123

left this forum longback
what @gary said is true.@shenai,you shouldve used TOR or some other proxies...better luck next time ;)
 

victor_rambo

हॉर्न ओके प्लीज़
only if hey hav made it in ASP/JSP, it was a tad bit to crack the nuts.
Even if its ASP, the same exploit wud work.

I knew php is just a dirty fast way to create pages, and a noob can easily forget to make it hack proof.
Are you calling PHP dirty :D no way

@rohan_shenoy

You are 100% right. I mean the firm is fully responsible for it. I was no way justifying it. I was telling the reasons why the quality of programming / sites goes down sometimes.
ya......I agree to your views.
 

Raaabo

The Dark Lord
Staff member
Admin
Why would a company prosecute a white-hat? That's ridiculous! Black-hats, however, will be prosecuted to the full extent of the law.

Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.
 
OP
iMav

iMav

The Devil's Advocate
Why would a company prosecute a white-hat? That's ridiculous! Black-hats, however, will be prosecuted to the full extent of the law.
absolutely
Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.
damn that means even if hacked (which I dont know how to) I wouldn't have been able to send you to Shameful Misery, oh damn!
 

victor_rambo

हॉर्न ओके प्लीज़
Why would a company prosecute a white-hat? That's ridiculous! Black-hats, however, will be prosecuted to the full extent of the law.
Thank you
Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.
Yes the user details which could be stolen were of registered users of the site, not the forum.
 

tuxfan

Technomancer
Thanks Manan and Gaurav.

Now something more:
Though I managed to hack into the admin section of the website(Screenshots on my blog post), I immediately informed Digit about it(You can check copies of emails too on my blog post).

That is the reason now they have put the admin/ folder under .htaccess protection. If you try to visit *www.thinkdigit.com/admin/ you will get a basic authentication type of popup which was implemented after i informed them about it.

Good work in terms of technology / web security. But you have committed a criminal act under Indian Information Technology Act by hacking into a system! This makes you liable for imprisonment as well as fine! As far as I remember it is 5 yrs and 1 lakh.

Your intention doesn't matter! Whether you actually caused any damage or not doesn't matter! As soon as you hack in, you have committed a criminal act under the IIT Act.

Be careful mate. :)
 

blackpearl

The Devil
@tuxfan: It's alright bro, nobody his pressing charges on him. He is fine.

@rohan: You should now target chip-india.in website. About a year or two ago, their old site had a staggering number of silly security loopholes. Forum members used to regularly discover them every couple of weeks. I bet they still have vulnerabilities even on their new site.
 

victor_rambo

हॉर्न ओके प्लीज़
Good work in terms of technology / web security. But you have committed a criminal act under Indian Information Technology Act by hacking into a system! This makes you liable for imprisonment as well as fine! As far as I remember it is 5 yrs and 1 lakh.

Your intention doesn't matter! Whether you actually caused any damage or not doesn't matter! As soon as you hack in, you have committed a criminal act under the IIT Act.

Be careful mate. :)
Thanks for your concern mate. But I know the loopholes which I am obviously not discussing out here :D

And yeah, in the Court of Law, Intention DOES matter. They say:
"If a doctor gives a medicine with an intention to harm the patient, the doctor is a criminal even if the medicine does not cause harm. In the same way, if a doctor gives a poison with the intention of curing the ailment, it is not a crime."

Obviously you have to have something to PROVE your intention, which I already have. ;)
 
Status
Not open for further replies.
Top Bottom