As the issue is now fixed, let disclose the details of the @aadhaarapi vulnerability I found 3 days ago. #wordpressForDummies #Aadhaar #AadhaarFailhttps://twitter.com/fs0c131y/status/953315051389284352 …
-
-
Nice work! I'm assuming this is just their WP site though, and there wouldn't be any access to
#Aadhaar data? -
Yes, this is only their website.
-
Clear, thanks!
End of conversation
New conversation -
-
-
I hope they gave you some $$$ for this... You saved them potentially a lot.
-
right
@aadhaarapi? -
Afaik, I received nothing for the moment
-
Well, next time someone detects something there, they might not be as nice as you then...
End of conversation
New conversation -
-
-
There are absolutely no technical requirements in order to be an Aadhaar Authentication Service Agency. So somebody selling sweets can also be an ASA. Do you really expect these guys to secure any data? https://www.uidai.gov.in/images/resource/eligibility_criteria_for_asa_17122016.pdf …
-
These thugs deliberately leave such holes so that data can leak from numerous sources. This ensures virtually risk-free monetization of user data. Who would you catch when you can't figure where the leak originated from?
End of conversation
New conversation -
-
-
One reason why I always put the database credentials out of the web root. Is this on a Windows host? It’s weird that Apache would vend a hidden file
-
The backup of config file was having .swp extension, So i believe it would be a linux host with LAMP stack installed.
-
Yes that was my assumption also. Although Linux and Apache by default hide hidden files (ie starting with a period). The “bug” here looks to be a bad Apache configuration or files were copied to a Windows host. http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexignore … .??* hides files starting with period
- 1 more reply
New conversation -
-
-
And also, make sure vim doesn’t write backup files to your webroot? Or just don’t edit them directly on the server.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
?