Search This Blog

Showing posts with label URL Spoofing. Show all posts

Taxpayers Personal Data Exposed Online in the UK

 

Different local councils in the UK have conveyed SMS to a huge number of citizens to encourage them to cover outstanding sums. The messages contained links to online databases that facilitated lists of different citizens whose information shouldn't be available to any other person. Lamentably, there was no security or any type of verification to keep the leak from occurring, so a large number of UK taxpayers have had their complete names, home addresses, and outstanding debts exposed.

The blunder was the work of Telsolutions Ltd., an organization that has given the contact and communication services to the local councils, which was contracted to urge tax defaulters to pay up. This is a typical strategy that is trailed by private and public entities around the world. Other than the psychological repercussions for the recipients of these messages, there is also the danger of data exposure.  

Other than SMS, the council tax services likewise use emails and surprisingly recorded voice messages. The entirety of this makes the space for tricksters to move in also, as taxpayers having to deal with official communications with their state through third-parties is the ideal setting for trickery. The information of this exposure reached The Register, who checked and affirmed that the information was indeed accessible via the sent short links. The entirety of the shared URLs have been taken offline now as both Telsolutions and some of the authorities were informed about the mistake. However, as the UK press webpage affirms, web crawlers have already caught some of these public entries, empowering individuals to search others and see their addresses, tax debts, etc.

After investigating the enumerable URLs, it was found that London's Bexley Council, a client of the Telsolutions service, had implemented no authentication at all. Anybody could unreservedly see the full details of an alleged tax defaulter in the borough without proving their identity. To see the data of another taxpayer, the recipient should have simply followed the URL from the SMS, modify the alphanumeric characters, and click a button labeled "proceed". 

Altogether, apparently, 14 councils have followed the same erroneous method after trusting the particular service provider. That incorporates Barnet, Bexley, Brighton, Cardiff, Coventry City, Greenwich, Lambeth, Redbridge, Southampton City, and Walsall.

URL Spoofing: Interview With Bug Bounty Hunter Narendra Bhati


On 24th December, E-Hacking News conducted an interesting interview with Mr. Narendra Bhati, a Bug Bounty Hunter/Ethical Hacker. He was recently awarded a total of $20,500 by Apple Security. Narendra also discovered an Address Bar Spoofing Vulnerability in multiple browsers.
 
Q.1 Can you please start by introducing yourself to our readers? 
My name is Narendra Bhati, I’m a Bug Bounty Hunter and Ethical Hacker. I belong to a small town called Sheoganj in Rajasthan. Currently, I’m working as a lead Pentester in Suma Soft Private Limited for the last 7 years. 

Q.2 How do organizations react when you find a bug and go to them? 
Especially Google, Apple, and Hacker One, I believe that the response time has been better than the last time. Nowadays, everyone is working from their home and they can look into the issues quickly as they do not have to go to the office, which saves time. 

Q.3 On your blog Web Security Geeks, you posted about a banking vulnerability, how did you deal with it. Did you try contacting RBI? 
Last year, I had a few bank accounts and I tested these banking apps and found that these applications were vulnerable to very basic hacking attacks. I tried to contact the bank but as these banks do not have any bug bounty program for security, I contacted their customer support service and after 2-3 months, still, no response came. The customer service couldn’t understand what I was trying to explain. But now, four out of 5 banks have fixed the issue, one still remains. In the case of RBI, I was a bit afraid that if I try contacting RBI, it might come back at me asking why did I attest any application. But in similar cases, I’ve found the same issues with the mutual funds’ apps. 

Q.4 Did these banks respond to you or just silently fixed these issues? 
I sent an email to these banks and tried to contact the higher authority via LinkedIn. I found some senior security team and contacted them. Luckily, they were able to understand me and fix the issue within seven days. So basically, it took around 6 months to close the issue. 

Q.5 Many Indian organizations are not ready for opening the Bug Bounty Program. Why do you think it’s not happening here? 
I spent around 2-3 months and found 30+ bugs. I think why the hunters are not interested in the Indian Bug Bounty Program and why it’s not doing good is because the amount of work that hunters invest in finding a bug is not equal to what they are paid. For example, in a typical scenario, an International Bounty program has a price range of $500-800, whereas in India they offer only $80-100. So, the hunters think “why should I focus on the Indian bug bounty program when they offer such low reward” and the same works for me also. 

Q.6 Please tell us more about the URL Spoofing Vulnerability in the web browser and how does it work? 
The basic idea of URL spoofing is user trust. In URL spoofing, what an attacker can do is, whenever you click a URL, you’ll see that the URL belongs to Google.com but the content is shown from the attacker’s domain, so the attacker can show any desired content using the trusted domain. 
The same problem occurred with the Jio platform; the content was being shown from the attacker’s domain. Meanwhile, the user could attest to this data thinking the content shown from Jio is real but the attacker could violate this or do a phishing attack. I think the URL spoofing impacts banking websites the most, the attacker can use any trusted banking domain in India to create a fake page and the victim will most likely attest to that. 

Q.7 What made you interested in Bug Bounty? 
It all began when I was in 8th class and my father bought a computer worth INR 18,000 which was a lot back then. Also, my cousin Karan Gehlot influenced me a lot and brought my interest in computers. After doing my BCA from a local college, I went to Ahmedabad for an Animations course and enrolled myself. The course was to start after 10 days, and in that time, I came across a cybersecurity workshop ad on Facebook. I struggled a lot with stammering and lacked self-confidence but somehow, I went to that workshop. On the 2nd day, I talked with the organizers of the workshop and asked them that “I want to do a job and get in cybersecurity.” So, I started my journey with that organization as a Head Trainer of the Ethical Hacking course and I was also learning side-by-side, I worked for two years there, and in 2014, I joined Suma Soft. 

Q.8 When you found the vulnerability in Jio Browser, did the company respond? 
I contacted Jio via Twitter and they responded immediately, I shared all the information with them but after 2-3 mails, they stopped responding to me, I don’t know why. Recently, they renamed the browser to ‘Jio Smart Pages’ from Jio Browser and fixed the issue, but they didn’t reply to me back. 

Q.9 Is that the common thing, that the companies don’t respond to but silently fix? If so, why do you think it happens? 
That’s what I’m talking about, the Indian programs, they don’t respond. They’ll sweet talk to you in the beginning but once they receive the required information, you cease to exist for them. The companies have a brand image in the market, and if they disclose any information regarding any issue, it may affect their brand value. 

Q.10 Any advice to our readers on Cybersecurity? 
I give the same advice to all my connections/friends and I’ll give the same to you, don’t stop learning. Whenever you do a Bug Bounty Program, just stick to that, don’t change your timeline, spend a good amount of time in research and you’ll surely have good results.