How I hacked all the [REDACT] Agents accounts


Disclaimer

Neeraj Sonaniya
Oct 17, 2017 · 4 min read

The sole purpose of this article is educational and for testing of your own applications. This is not intended for piracy or any other non-legal use.

Introduction:

Since company doesn’t allow disclosure, i will keep company name [REDACT].

POS application is used by [REDACT] agents for Topup, SIM activation purpose. At the time when an agent register with [Redact], they need to verify their details, and hence have to give their documents like Aadhar card, Address Proof ID, Voter ID. After all verification [Redact] gives agent a USER ID and USER PASSWORD. The USER ID generally have 10 digit number’s, start with 068 , and hence the agent USER ID will look like this 068XXXXXXX. Where X is any number from 0 to 9.

So, now we have all the USER ID of all the agents, what next? The next step is to find password for those user ID’s of agents.

After some searching about password, i luckily found a person who work with same company as retailer, when i asked him his password for POS application, he told me the password which is `Zxq@1XXX`, At the same time i also found one other person using that application, and i got same password from him too.

So, what next?

Immediately after getting these informations i have downloaded POS application, and setup the proxy to capture the request from that app using Burpsuite.

Captured Request in Burpsuite:

Here MacID is Device Media Access Control ID of device.

I immediately sent that request to Burpsuite intruder and changed the last 4 digits of UserID with default password for all the UserID’s

What I got in response:

Response length → 9500 [Approx.] → SignIn success

Response length →330 → SignIn Failure

Failure Response

Approx 3000 ID’s have default password out of 9000

After that i immediately set burp intruder request to last 6 digit numbers. And found that approx 26,000 accounts out of 90,000 are vulnerable to this.

After that i immediately contacted to [Redact] via twitter/email but didn’t got any response. But i am really thankful to HackerOne who helped me to reach [Redact] via its Disclosure Assistance Program .


What detail’s I got :

→ Aadhar Card Numbers
→ Email addresses

→ Agent’s account Secret Keys
→ Permanent Address

→ Mobile Number
→ Customer Details to whom they recharged
→ Agent’s all documents in PDF file format, and many more.


What any bad guy can do with this details:


[Redact] rewarded me bounty of 100$, which is i think not a sufficient bounty for hacking all the agent’s above described details.


All this i have written 2nd time, i was excited to share this find and i asked them nicely with a PRIVATE writeup that can i share, when i sent them writeup without disclosing the issue,after some time i got call from their Vice President of Security, he threaten me and asked that if i will disclose this publicly then i will file a complaint to Cyber Crime investigation department, we also have all the logs of brute-forcing the ID’s from your IP address.

The only thing which triggered me to share this is i asked him nicely with good intentions and he started yelling at me and started threatening me i felt bad because i actually helped them.

when i questioned them that bounty is too less as compared to the impact of issue reported by me, he false promised me, that we will make your career with our organization, when i messaged him, he didn’t replied to me (initially told me to be in touch with him).

I ethically wanted to help them and even helped them, but they don’t care and even India doesn’t care about information security of public, they don’t want to loose their prestige and hence don’t want to make disclosure of any vulnerability. They all want their work in free.


Neeraj Sonaniya

Whitehat security researcher

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store