Tag Archives: Privacy

Another sad story with banglalion wimax

Posted on by
3

Recently, I have changed my internet provider from Citycell Zoom to Banglalion. Few days ago a girl from Citycell asked me “Why are not you using Zoom internet anymore?” I answered “Why should I?” While I was using zoom internet, I suddenly noticed that I can see the user profile, usage history of other users from their Online Self Care site in a tricky way which means the other user can see my history if they know the trick. It was nothing harmful for users but obviously they are not caring my personal information.

I then left Zoom and planned to buy Banglalion wimax connection. It took more than 24 hours to activate my account, but usually they take 3-4 hours as I heard. I had to spend at least 4-5 hours in the sales centre. They were providing me a wrong password again and again. I had to contact with their customer care to get the correct password, but unfortunately the representative was also giving me the same wrong password. After calling to their customer care several times, talking with a senior person several times, finally I was able to activate my connection after passing more than a day on it.

Even after all these harassment I was happy enough to use this new connection because it was too fast but cheap. One day, while I was refilling my account from online I noticed that I can pay my bill without buying any prepaid card, entering serial number and pin number. I was shocked again. There were some hidden menus which were functional. Developers often think their user won’t see that they don’t see. So, when manager ask to get rid of a feature, they simply hide it. Hiding is not similar to remove. If you really need to hide something, better to remove it entirely.

Before playing with self care site, I tried some basic SQL injection in their admin site. The question is how did I get the admin site URL? It’s not public one and there is no link given in their public site. I got it from the sales centre.  As I said, I had to spent long hours in one of their authorised dealers shop. I remembered the URL when they were struggling activating my account. Still there are some developers who consider their users are dumb. They think their admin site is protected, as no one will find it to attack. I have seen some site owners as well who want their admin URL hard to remember for the same reason. They think it increases security. Does it really? Where do we keep our money, in locker or in a cave? However, here is how the admin site was vulnerable to simple SQL injection attack:

Readers don’t try the above tricks at home. I reported these issues to banglalion before disclosing publicly. They have confirmed me that the problems have been fixed.

How to remove evercookie from firefox

Posted on by
22

Samy, the father of the MySpace worm (aka samy worm) recently released a new technique to persist cookies virtually forever in a browser. He named it evercookie.

“evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.” – described by Samy.

When people are looking around how this cookie can be removed from their browsers, Samy is trying to improve it by adding new more techniques. Currently during it’s cookie creation, it tries to store in different places in your browser using 13 mechanisms so that just clearing browser’s cookie doesn’t remove evercookie. It’s so powerful that many smart users will not be able to clear it even, general users are far behind. HTML5′s session storage, local storage, global storage, and database storage via SQLite makes it more persistent. Already some security researchers have identified how this can be removed in Safari, Chrome but not yet from Firefox. The technique I am going to describe works in firefox 3.6 with Samy’s current version.

  1. Go to Samy’s evercookie demo page. Click on “Click to create an ever cookie”. Make sure evercookie is stored in every place except ‘userData’ storage (it’s for IE). You may need to click on ‘click to rediscover cookies’ few times to store it in every place.
  2. Open another tab and close the first (samy’s) tab.
  3. Now open Silverlight Home Page and delete Silverlight Isolated Storage.  To delete, right click any Silverlight application then Silverlight > Application Storage > Select the website samy.pl  > Click on Delete… finally click on ‘Yes’
  4. Then open Flash Website Storage Settings panel page and remove the Flash Local Shared Objects (LSO) which is stored from samy’s domain.
  5. Press Ctrl+Shift+Del (alternatively go to Tools > Clear Recent History). Select ‘Everything’ from the ‘Time range to clear’ dropdown and check every item from the ‘Details’ list and finally click on ‘Clear Now’ button.
  6. Now go to samy’s page again and verify that the everycookie is removed completely.

Note that the sequence of the steps are very important to remove any evercookie in firefox.

Facebook privacy hack, see hidden photos of facebook users

Posted on by
18

Sometimes you may wish to see the photos of a certain facebook user but you cannot as the target person is not directly your friend evens not your friends of friends. You cannot see much information of that user when you go to her profile page, may be you just see the ‘Info’ tab saying that “<Name> only shares some of her profile information with everyone. If you know <Name>, send her a message or add her as a friend.”, sometimes you may find the ‘Wall’ tab also just like the following image.

facebook-hidden-photo-tab

You see the ‘Photos’ tab is missing but you want to see her photos. You know the photo privacy settings have 4 options:

  1. Everyone
  2. Friends of Friends
  3. Only Friends
  4. Customize

‘Friends of Friends’ is the default settings. We are assuming that the above person has not changed her privacy settings for photos. But still as you are not her friend evens not friend of friends, you are not eligible to see her photos. Don’t be disappointed, there is a way to reveal those. Follow the steps:

  1. Login to facebook
  2. Search for your target person
  3. Go to her profile page
  4. Copy the code and paste it into the browser’s address bar and hit the ENTER key.
javascript:(function(){CSS.removeClass(document.body,%20'profile_two_columns');tab_controller.changePage("photos");})()

You may find something like:

facebook-revealed-photo-tab

Well, I personally did not discover the code we are using here. If you want to read the main post regarding this topic please go here New Trick to View Hidden Facebook Photos and Tabs.

After more investigation on this privacy hack, I have found some more interesting things in facebook. Actually it is possible to see almost every piece of information of a facebook user without login to the system only if the information is not blocked by privacy settings. Obviously it is not necessary to be a friend of the target user, you just need to know the profile id which is not a private thing at all. If you are more interested you can hit the following urls:

http://www.facebook.com/ajax/typeahead_friends.php?u=764294709&__a=1

http://www.facebook.com/ajax/profile/tab.php?__a=1&id=582564772&v=wall

http://www.facebook.com/ajax/stream/profile.php?__a=1&profile_id=1089458693