- Status
victor_rambo
हॉर्न ओके प्लीज़
....cannot tell thisI read ur comment on the blog. Thanks for ur concern, I have thought carefully before making that post. And frankly, I never expected that the exploit would work with this website. but it worked.........
Quiz_Master
* Teh Flirt King *
Cool dude.. Awesome..
And thanks for Alerting the admins.. Yes..Digit people needs to seriously consider this sites security..(Maybe they can hire u)
Though I tried to tell this on ur blog(As I am avoiding this forum these days) but couldnt comment cause of some technical difficulties.
And thanks for Alerting the admins.. Yes..Digit people needs to seriously consider this sites security..(Maybe they can hire u
)Though I tried to tell this on ur blog(As I am avoiding this forum these days) but couldnt comment cause of some technical difficulties.
gary4gar
GaurishSharma.com
whoa, you got lot of attention
I read ur comment on the blog. Thanks for ur concern, I have thought carefully before making that post. And frankly, I never expected that the exploit would work with this website. but it worked.........
wonder if its positive or negative publicity, please figure out
Regarding my Comment on your blog.
I suggested you because There is no harm taking some precautions.
Like, imagine if Digit report it to Enforcement agenies(Thank God, they are Not doing it)
they have enough proof against you
1) Your Ip address
2) Your Name
3) Your location
4) Your Photograph even
5) Your Blog post & this thread, openly confessing the act(A solid piece of evidence)
Even you motive was good, so you have chances of walking free but at minimum your name spoiled
Remember, Always Play extra Safe
In addition, You could contact Webmaster before the attack, and give a prior information(Read: Open challenge)
Now this way, You are Doing Ethically correct
Not all Organizations are Good as Digit. they are evil ones out there
Ps: I am not against ethical hacking. Just advocating safety measures
Last edited:
din
Tribal Boy
@rohan_shenoy
Really appreciate it, I mean you informed Digit about the vulnerability and didn't do anything bad. Nice of you.
What gary4gar mentioned is also very valid. You have done something good, but take care because it may go negative too.
Some other things related to this.
To be honest, not surprising or shocking. I remember reporting a major vulnerability (like without any hack we could see a lot of personal details of members) in Rediff 3 year back. The toughest thing was to get a contact number to inform them ! Had to google a lot at that time, finally found the phone number and told them. First they didn't believe, then they transferred it to their tech section and they called me back for details. But they could fix it within hrs. If Rediff is open to attacks, Thinkdigit will be for sure !
Main thing is - advantage (and disadvantage too) of PHP-Mysql is, anyone with a basic knowledge in programming can learn it very easily. May be 1 month is quite adequate. Once they know the basics, over confidence starts. They think programming is all what they learned in 1 month. They start coding and never think of any precautions that they should take.
Another thing is the multi-level outsourcing. One of my friends working in a famous Indian IT firm (do not want to name !), told me they outsource projects which they get from abroad( which they get as out sourced !). But the final product will be in their name. So the quality may not be the same. In big companies, coding is just one part, there will be team for multi level testing, debugging, security testing and a lot. But small companies or people who are new in the field, may not think of all those. They just start coding and once its done they deliver it.
Thing is these kinda people not only lose their credibility, but spoils the image of other Indian companies which are doing very good in the field
PS : @rohan_shenoy
There is some small bug in your blog's comment page. It is not javascript, something with PHP itself. I think there is a space or "echo" or some redirection set wrong in the file /home/mhtcet/public_html/w3hobbyist.com/admin/config.php . Even a blank line can cause it. The comments goes to db it seems but fails to load the next page (due to the header issue)
Offtopic : I guess w3hobbyist.com is a parked / add-on domain ? If so, I strongly recommend you to make it separate web space as it will do better with search engines ? Please ignore if it is not.
Really appreciate it, I mean you informed Digit about the vulnerability and didn't do anything bad. Nice of you.
What gary4gar mentioned is also very valid. You have done something good, but take care because it may go negative too.
Some other things related to this.
To be honest, not surprising or shocking. I remember reporting a major vulnerability (like without any hack we could see a lot of personal details of members) in Rediff 3 year back. The toughest thing was to get a contact number to inform them ! Had to google a lot at that time, finally found the phone number and told them. First they didn't believe, then they transferred it to their tech section and they called me back for details. But they could fix it within hrs. If Rediff is open to attacks, Thinkdigit will be for sure !
Main thing is - advantage (and disadvantage too) of PHP-Mysql is, anyone with a basic knowledge in programming can learn it very easily. May be 1 month is quite adequate. Once they know the basics, over confidence starts. They think programming is all what they learned in 1 month. They start coding and never think of any precautions that they should take.
Another thing is the multi-level outsourcing. One of my friends working in a famous Indian IT firm (do not want to name !), told me they outsource projects which they get from abroad( which they get as out sourced !). But the final product will be in their name. So the quality may not be the same. In big companies, coding is just one part, there will be team for multi level testing, debugging, security testing and a lot. But small companies or people who are new in the field, may not think of all those. They just start coding and once its done they deliver it.
Thing is these kinda people not only lose their credibility, but spoils the image of other Indian companies which are doing very good in the field
PS : @rohan_shenoy
There is some small bug in your blog's comment page. It is not javascript, something with PHP itself. I think there is a space or "echo" or some redirection set wrong in the file /home/mhtcet/public_html/w3hobbyist.com/admin/config.php . Even a blank line can cause it. The comments goes to db it seems but fails to load the next page (due to the header issue)
Offtopic : I guess w3hobbyist.com is a parked / add-on domain ? If so, I strongly recommend you to make it separate web space as it will do better with search engines ? Please ignore if it is not.
victor_rambo
हॉर्न ओके प्लीज़
@Gary
If its negative publicity, its for the Indus firm. The way they designed such as high-profile made them "deserve" such kind of publicity.
@Din,
If the firm has outsourced the services, it is still responsible for the mess because the services were sought from the "firm". It is not a case of reference of a freelancer from a firm. The firm is responsible for web design and programming.
EDIT: Din, since you are PHP-MySQL programmer, I think you will better understand the issue.
and yeah, that for those tips. It is an addon domain.
If its negative publicity, its for the Indus firm. The way they designed such as high-profile made them "deserve" such kind of publicity.
@Din,
If the firm has outsourced the services, it is still responsible for the mess because the services were sought from the "firm". It is not a case of reference of a freelancer from a firm. The firm is responsible for web design and programming.
EDIT: Din, since you are PHP-MySQL programmer, I think you will better understand the issue.
and yeah, that for those tips. It is an addon domain.
victor_rambo
हॉर्न ओके प्लीज़
Even if its ASP, the same exploit wud work.
Are you calling PHP dirty
no wayya......I agree to your views.
Why would a company prosecute a white-hat? That's ridiculous! Black-hats, however, will be prosecuted to the full extent of the law.
Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.
Just to clarify, at no point in time were the personal details of forum members at risk of being stolen or exploited. This forum is on a different database and a different CMS with a completely different admin login.
OP
iMav
The Devil's Advocate
absolutely
damn that means even if hacked (which I dont know how to) I wouldn't have been able to send you to Shameful Misery, oh damn!
victor_rambo
हॉर्न ओके प्लीज़
Thank you
Yes the user details which could be stolen were of registered users of the site, not the forum.
tuxfan
Technomancer
Good work in terms of technology / web security. But you have committed a criminal act under Indian Information Technology Act by hacking into a system! This makes you liable for imprisonment as well as fine! As far as I remember it is 5 yrs and 1 lakh.
Your intention doesn't matter! Whether you actually caused any damage or not doesn't matter! As soon as you hack in, you have committed a criminal act under the IIT Act.
Be careful mate.
blackpearl
The Devil
@tuxfan: It's alright bro, nobody his pressing charges on him. He is fine.
@rohan: You should now target chip-india.in website. About a year or two ago, their old site had a staggering number of silly security loopholes. Forum members used to regularly discover them every couple of weeks. I bet they still have vulnerabilities even on their new site.
@rohan: You should now target chip-india.in website. About a year or two ago, their old site had a staggering number of silly security loopholes. Forum members used to regularly discover them every couple of weeks. I bet they still have vulnerabilities even on their new site.
victor_rambo
हॉर्न ओके प्लीज़
Thanks for your concern mate. But I know the loopholes which I am obviously not discussing out hereGood work in terms of technology / web security. But you have committed a criminal act under Indian Information Technology Act by hacking into a system! This makes you liable for imprisonment as well as fine! As far as I remember it is 5 yrs and 1 lakh.
Your intention doesn't matter! Whether you actually caused any damage or not doesn't matter! As soon as you hack in, you have committed a criminal act under the IIT Act.
Be careful mate.
And yeah, in the Court of Law, Intention DOES matter. They say:
"If a doctor gives a medicine with an intention to harm the patient, the doctor is a criminal even if the medicine does not cause harm. In the same way, if a doctor gives a poison with the intention of curing the ailment, it is not a crime."
Obviously you have to have something to PROVE your intention, which I already have.
- Status