Category Archives: Security

General web/desktop application security news

Another sad story with banglalion wimax

Posted on by
3

Recently, I have changed my internet provider from Citycell Zoom to Banglalion. Few days ago a girl from Citycell asked me “Why are not you using Zoom internet anymore?” I answered “Why should I?” While I was using zoom internet, I suddenly noticed that I can see the user profile, usage history of other users from their Online Self Care site in a tricky way which means the other user can see my history if they know the trick. It was nothing harmful for users but obviously they are not caring my personal information.

I then left Zoom and planned to buy Banglalion wimax connection. It took more than 24 hours to activate my account, but usually they take 3-4 hours as I heard. I had to spend at least 4-5 hours in the sales centre. They were providing me a wrong password again and again. I had to contact with their customer care to get the correct password, but unfortunately the representative was also giving me the same wrong password. After calling to their customer care several times, talking with a senior person several times, finally I was able to activate my connection after passing more than a day on it.

Even after all these harassment I was happy enough to use this new connection because it was too fast but cheap. One day, while I was refilling my account from online I noticed that I can pay my bill without buying any prepaid card, entering serial number and pin number. I was shocked again. There were some hidden menus which were functional. Developers often think their user won’t see that they don’t see. So, when manager ask to get rid of a feature, they simply hide it. Hiding is not similar to remove. If you really need to hide something, better to remove it entirely.

Before playing with self care site, I tried some basic SQL injection in their admin site. The question is how did I get the admin site URL? It’s not public one and there is no link given in their public site. I got it from the sales centre.  As I said, I had to spent long hours in one of their authorised dealers shop. I remembered the URL when they were struggling activating my account. Still there are some developers who consider their users are dumb. They think their admin site is protected, as no one will find it to attack. I have seen some site owners as well who want their admin URL hard to remember for the same reason. They think it increases security. Does it really? Where do we keep our money, in locker or in a cave? However, here is how the admin site was vulnerable to simple SQL injection attack:

Readers don’t try the above tricks at home. I reported these issues to banglalion before disclosing publicly. They have confirmed me that the problems have been fixed.

Smartphones are increasing security risk

Posted on by
Reply

Do you think?

  • Your cell phone calls are very secure and private.
  • Messaging is more private than voice calls.
  • No one knows where you are.
  • No one around you is seeing your private photos and videos.

If you are using a smartphone with internet access, you are probably wrong. A spy application can do all the above unwanted things silently. Not necessarily such an app needs to be installed deliberately on your phone. They can get in your phone in various ways just like a spyware gets in your computer.

Smartphones, reasonably increases the risk of being hacked. It has opened another door for the hackers to steal our data in addition to computer. Today our personal data is not only computer centric, we are carrying our data through our phones wherever we go. We access our mail accounts, bank accounts, official sites, business apps, messengers, facebook, twitter, and other apps directly from our phones. While accessing those apps, many of us advisedly allow mobile devices to remember our credentials to avoid re-entering username-password every time we log in. “Remember me” in mobile phone is similarly risky like computer. If someone gets your phone for few moments she can check your personal mails secretly even she is in front of you.

For many years, physical access was the only way to steal data from simple phones as they were not connected with internet. At the time when vendors started making internet enable phones, they are making us more potential victim of internet based attacks. Now we are living in the world of smartphone, internet is the heart of it. It’s unthinkable that you have a smartphone but you don’t use internet. Along with internet access, today’s smartphones have a platform to host third party applications just like computer. Those apps can access private data stored in your phone and communicate with server to store them. Now anyone can access your data through an app even she lives in another country.

Hackers are thinking about our phone. They are researching on mobile attack. Mobile could be the primary focus for attacking us someday. For instance, nowadays many applications give option to reset password via a mobile phone. Here is how the password recovery/reset process works:

  • User enters a phone number in password recovery page.
  • System detects associated user account and sends a code through SMS in the corresponding phone.
  • Either that code is the new password or used to reset password.

The process is similar like resetting password via email. Instead of sending email, a SMS is sent. Although the process is very similar, I think mobile phone is less secure in this purpose. Anyone around you has access your personal phone, can compromise your account within a minute silently. You might think if someone has access my email account he can do the same. Yes, that’s true but there is another thing that makes the mobile phone less secure.

The entire attack can be simplified by an app that has access to your SMS. The app can silently put your phone number in password recovery page, read the code from your inbox and reset your account. It’s just a way your phone can be used as a weapon against you.

Use Gmail+ to know who are propagating your email address

Posted on by
Reply

When I opened my first email account in yahoo years ago, I didn’t receive that much spam as I get nowadays. Obviously one of the reasons is spammers are more active than before, but the main reason is ME. If nobody would know my email address, it wasn’t possible for them to send spam (unwanted emails). But it doesn’t mean that everyone who knows my address is sending spam. There are certain people or organisations who are sending unsolicited emails in bulk to people who have not requested for it.

I simply don’t trust anyone even not facebook in this regard. May be facebook is not spreading my address today but who knows about their future? I feel shy to say, bdjobs.com, the most popular job site in my country (Bangladesh) are continuously selling their customers (employers, students, registrants) email addresses to other people shamelessly. I unsubscribed from their site several times but seems, the more frequently I click on unsubscribe link the more they become sure that I am using that mail account actively. So they sent more emails, more frequently. It’s not nothing new that unsubscribe link is not always for unsubscribing, it’s quite often for confirming that you are actively using your account. So, before clicking on an unsubscribe link you can follow this technique like me:

Go to the site that sent you spam and find the unsubscribe page. Put your test email account (which is not registered in that site) there and wait for few days. If they are collecting/confirming email addresses through their unsubscribe link, you will receive emails in your test account in next few days. If you get email in your test account, don’t click on unsubscribe link from your original account. I often do a fun, if I find any site like this. I put their own contact us, admin or info email addresses there. I call it Return Attack.

Let’s come to the post title. How would you know, the spammer has got your address from someone you trust. For example, your email address is youremail@gmail.com. You have registered with facebook.com and twitter.com recently with this email address. However, Facebook has sold your address to a spammer. Now, when the spammer will send you spam, you exactly won’t know where she got your address from because the spammer won’t mention the seller name in the email. But this is easy to identify the seller, just use youremail+facebook@gmail.com while signing up with facebook and youremail+twitter@gmail.com with twitter. If you didn’t understand this technique at a glance, do some experiment with it.

However, this technique will fail if the seller trims Gmail addresses anything after + (plus) before selling them.