 | |
| Using God Mode Character "Apostrophe" :) |
Today, I am going to show you a major security issue in the most famous and biggest company Just Dial (justdial.com). This all happened last month and I was searching for something on their website and I came across and discovered a flaw in their system and as being a software engineer I wasn't able to resist myself from exploiting it :).
Note: Being a responsible software engineer, I reported the issue to Just Dial and it is patched now.
What was the security flaw?
Well, most common of all, SQL Injection and Worst Ever Validation Code. Yes, their main login page was vulnerable to SQL-I and above that there was no code to validate user input (You will know further what I mean). We all know that main login is connected to the main database and hence, JACKPOT!!. You can access their main database with all the information related to employees, vendors, users, passwords, orders, so on and so forth.
It was funny that a big company like Just Dial, having millions of users around the world and that their website is so bad and poorly developed. Anyway, when I came to know that there is something wrong I changed my normal "Casual Mode" to "Hacking Mode" :D . As the GOD Character of SQL Injection is Apostrophe ' so I first used it and then I started writing different SQL commands and different combinations of scripts, numbers, garbage characters, etc.
If you visit justdial.com, you will see that Login Screen contains two fields "Mobile" and "Password" so basically developers were lazy or they didn't know how to validate "Mobile" filed as "Number Only". Anyway, as you can see I am logged in as a "User" "' and 1=1 --" and this is actually a "Vendors Account". So, basically this was it. I am attaching some more screenshots of different commands and their results.
 | |
| Here is another Vendor account :) |
 | |
| Further into a Vendor account just to confirm if I was really logged in. |
 | |||
| Another Vendor :) |
So, that is it guys. As you can see that this was a really serious issue and users who trusted Just Dial that they will keep their information private didn't know that it wasn't secure at all not even at a basic authentication level.
I do want you guys to know that I emailed Just Dial to let them know that there is a flaw and I didn't got any reply from Just Dial, NO Emails, Calls, No thank you email, Nothing. But, they did fixed it without letting me know or updating me not even a courteous thank you email or call.
You can Hire me for full time/freelance custom software/web development, security analysis and graphic designing work.
Follow me on @MRKN_Destroy
Email me at : hey24sheep@gmail.com.
Check my wonderful FREE app for Deaf and Mutes -- (Search for "NEETTECH")
Text Is Speech and Text Is Speech Pro
Android: https://goo.gl/iqF4nW
Windows : https://goo.gl/jOf6sX
Windows (Pro Version- Paid) : https://goo.gl/e1l637
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.