5. I found hundreds of infected #android apps with a #Coinhive miner: http://cdn.androidapk.world/downloads . The site is still up.
https://twitter.com/fs0c131y/status/949781296187871232 …
-
This Tweet is unavailable.Show this thread
-
Elliot Alderson Retweeted Elliot Alderson
6.
@makemytrip is tracking his users without their consent. 8 days after this tweet, they didn't make a public statement or contact me.https://twitter.com/fs0c131y/status/950801774776082432 …Elliot Alderson added,
Elliot Alderson @fs0c131y1. Hi@makemytrip
! Why are you retrieving user data without their consent?
Your #android app is making an http
request to http://metric.makemytrip.com with the following unencrypted
data:
- email
- device name
- phone build version
- OS version
- network type
- ... pic.twitter.com/4wj6vxDzitShow this thread1 reply 37 retweets 18 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
7. The password of local database in the official
#Aadhaar#android app is always the same. 7 days after,@UIDAI didn't make a public statement or contact me. https://twitter.com/fs0c131y/status/951154909189230593 …https://twitter.com/fs0c131y/status/952643583298777088 …Elliot Alderson added,
2 replies 29 retweets 25 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
8.
@UIDAI don't know how to sign an app correctly. They didn't make a public statement or contact me.https://twitter.com/fs0c131y/status/951786093074100225 …Elliot Alderson added,
1 reply 24 retweets 15 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
9. I found 2 "test apps" on the official
@UIDAI#playstore account. They didn't contact me but removed the apps few minutes after my tweets.https://twitter.com/fs0c131y/status/952574247594901509 …Elliot Alderson added,
Elliot Alderson @fs0c131yHi@UIDAI
! Do I have to explain you how real #Android developers are working? On his official#Playstore account.@UDAI published today an app called "NewTest" with blank screenshot and testingtestingtesting[...] as description
#AadhaarFail pic.twitter.com/e0iRWeesBdShow this thread1 reply 20 retweets 14 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
10. Found 2 ways to bypass the password protection in the official
#Aadhaar#android app.@UIDAI didn't make a public statement or contact me. https://twitter.com/fs0c131y/status/952826492383383552 …https://twitter.com/fs0c131y/status/953184798838853632 …Elliot Alderson added,
0:46Elliot Alderson @fs0c131yHi my#Indian friends
! Let me show you another way to bypass the password protection in the official #Aadhaar#Android app. Once again, in less than 1 minute, an attacker can access your#Aadhaar informations without having your password#AadhaarFail pic.twitter.com/J5gM9umHKo1 reply 31 retweets 19 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
11. After caught a basic Git error made by
@aadhaar_bridge (@KhoslaLabs). They removed their entire aadhaar-bridge repo on#Github. We had a discussion but they didn't explain why they removed it.https://twitter.com/fs0c131y/status/951421920301453312 …Elliot Alderson added,
Elliot Alderson @fs0c131yHi@KhoslaLabs,@UIDAI
! Let me show you the power of git.
If an Android dev want to integrate AadhaarBridge in his #android app, he will visit this page: https://www.aadhaarbridge.com/products.html Because he is curious, he will click on the "SDK For Android" and the "Sample Application" pic.twitter.com/HKMpquY8yoShow this thread1 reply 19 retweets 19 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
12. Found a security issue in the
@aadhaarapi's website. They contact me and fixed the issue. I will disclose the details soon.https://twitter.com/fs0c131y/status/953315051389284352 …Elliot Alderson added,
2 replies 22 retweets 29 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
13. Another bug in the
#Aadhaar app.@UIDAI didn't make a public statement or contact me.https://twitter.com/fs0c131y/status/953378017849552903 …Elliot Alderson added,
0:25Elliot Alderson @fs0c131yBug in the official#Aadhaar#android app. By default, the application asks for the password for each action. In the settings, you can deactivate this password protection. By force quitting the app when you deactivate this mechanism you don't need to enter the password. pic.twitter.com/HJ8PqyIXS1Show this thread1 reply 30 retweets 23 likesShow this thread -
Elliot Alderson Retweeted
14. I found 100 malwares signed with the private key of
@lorensiuswlt. He contacted me and denied to be the author. He said he uploaded his private key on the web few years ago. https://twitter.com/fs0c131y/status/951965826420154368 …Elliot Alderson added,
This Tweet is unavailable.1 reply 2 retweets 9 likesShow this thread
Elliot Alderson Retweeted Elliot Alderson
15. I found a #coinhive script on the @lorensiuswlt's website. He contacted me and took his website offline.https://twitter.com/fs0c131y/status/953203109119123456 …
Elliot Alderson added,
-
-
Elliot Alderson Retweeted Elliot Alderson
16.
@safelyfiled which keep sensitive docs, records, assets and directives digitally#secure is vulnerable to a basic#XSS. They didn't make a public statement or contact me.https://twitter.com/fs0c131y/status/952210674045931521 …Elliot Alderson added,
Elliot Alderson @fs0c131yHi@safelyfiled
! Your Twitter bio is : "Keep sensitive docs, records, assets and directives digitally #secure. Tag, note, remind, permit, audit & share. Expert#encryption & controls ensure#privacy." Instead of making such claims, can you fix this basic XSS vuln
? pic.twitter.com/DAOzfe3HT61 reply 2 retweets 12 likesShow this thread -
Elliot Alderson Retweeted Elliot Alderson
17.
@NewIndianXpress, an#Indian newspaper is vulnerable to a basic#XSS. They did not make a public statement or contact me.https://twitter.com/fs0c131y/status/952267272776769536 …Elliot Alderson added,
3 replies 16 retweets 40 likesShow this thread -
All this work had been done for free (am I stupid
?), if you want to support my research and pay me the coffee, feel free to send me BTC to this address 382rGcim5vDpztHyy9EDnvtLuAAasJHrEi7 replies 17 retweets 79 likesShow this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

