Recently, I have changed my internet provider from Citycell Zoom to Banglalion. Few days ago a girl from Citycell asked me “Why are not you using Zoom internet anymore?” I answered “Why should I?” While I was using zoom internet, I suddenly noticed that I can see the user profile, usage history of other users from their Online Self Care site in a tricky way which means the other user can see my history if they know the trick. It was nothing harmful for users but obviously they are not caring my personal information.
I then left Zoom and planned to buy Banglalion wimax connection. It took more than 24 hours to activate my account, but usually they take 3-4 hours as I heard. I had to spend at least 4-5 hours in the sales centre. They were providing me a wrong password again and again. I had to contact with their customer care to get the correct password, but unfortunately the representative was also giving me the same wrong password. After calling to their customer care several times, talking with a senior person several times, finally I was able to activate my connection after passing more than a day on it.
Even after all these harassment I was happy enough to use this new connection because it was too fast but cheap. One day, while I was refilling my account from online I noticed that I can pay my bill without buying any prepaid card, entering serial number and pin number. I was shocked again. There were some hidden menus which were functional. Developers often think their user won’t see that they don’t see. So, when manager ask to get rid of a feature, they simply hide it. Hiding is not similar to remove. If you really need to hide something, better to remove it entirely.
Before playing with self care site, I tried some basic SQL injection in their admin site. The question is how did I get the admin site URL? It’s not public one and there is no link given in their public site. I got it from the sales centre. As I said, I had to spent long hours in one of their authorised dealers shop. I remembered the URL when they were struggling activating my account. Still there are some developers who consider their users are dumb. They think their admin site is protected, as no one will find it to attack. I have seen some site owners as well who want their admin URL hard to remember for the same reason. They think it increases security. Does it really? Where do we keep our money, in locker or in a cave? However, here is how the admin site was vulnerable to simple SQL injection attack:
Readers don’t try the above tricks at home. I reported these issues to banglalion before disclosing publicly. They have confirmed me that the problems have been fixed.