Hey Hackers and BarCampers. BharatMatrimony.com Hack Few days (months, it was Feb!) back i posted below E-mail, that India's Leading matrimonial website (not revealing the name it was BharatMatriony.com!) having Security loophole, on their login page.! BM has having 1.5 crore + members. (source Bharatmatrimony.com -->about us). Finally uploading the Video (i have captured the videos when Site was open with security loophole.) BM has not approached since many days, nor they have taken care to revert, However more importantly seems like the reported issue is fixed, and i think its good to put 'How it was done' with hope you find it interesting, and may prevent such mistake in your website.:) Funny Enough, it was Valentine day, i was supposed to go to Y! Hackday but can't due to some time conflicts.and i was searching my (would be )life partner, but find bug:) Poor Me:( Cheers and Happy Hacking:) -Raxit Sheth.
The exciting new and official android App for TeluguMatrimony is finally here! Lego Mindstorm Software Nxt 2.1. TeluguMatrimony is a part of and is pioneered by BharatMatrimony – the world’s.
On Fri, Feb 13, 2009 at 12:36 PM, raxit sheth wrote: Hi Hacker! Just in lazy time, i am successfully find and Exploit, XSS on Leading Matrimonial site! What it is doing (Exploit) 1.
I am sending Classic Membership URL as Free Valentine day offer to find your Life partner! [This is the trick to send Specially Crafted ur!, please note it is not dummy site, or url of my website. It is matrimonial website only.
Where i am able to find XSS!!!] 2. User is going to matrimonial site using the url to grab 3. Enter their id,pwd. Id,Pwd will be E-mail to Me:) [Without enduser is knowing!!!:) ] 5. I am redirecting the user to login again! Do you want to grab the Valentine offer???
Happy Hacking:) -Raxit Sheth _______________________________________________ OWASP-Mumbai mailing list amit 11.05.09 12:58. Its not surprising that big portals like these have such people in employ who don't know anything about security & such are their supervisors! This same kind of security hole was in Indiatimes Shopping portal too 4 years back which was reported first by a fellow blogger & about later. First Indiatimes didn't pay any attention & when my blog post came up towards top in SERPs then I was contacted by a guy from times group. They fixed the hole few days after that, eh!! -- My online profile @ निज भाषा उन्नति अहै, सब उन्नति को मूल बिन निज भाषा-ज्ञान के, मिटत न हिय को सूल । -- भारतेन्दु हरिश्चन्द्र dutta.navin 11.05.09 23:20. It is shocking to see how carefree these guys are.
I remember around 3-4 four years back I reported some bugs at some well-known univ portals(yes portals. Not just one portal) where they host, monitor, and admin university results and admission details/ It was so vulnerable that by using some XSS and SQL injection the results could be manipulated. Despite bringing it to their attention no action was taken and it was unresolved for ages! I remember Wipro's corporate connection portal's security was horribly weak. The admin password was something so strong logitech.
The top middle management focuses more on getting the work done cheap. To spice the curry, anything brought to their attention is taken casually. I hope this changes someday!-- Navin Dutta (+91 9999 008 927) Ron Upad 14.06.09 11:57.