Wednesday, May 18, 2011

M.S.Dhoni ,Priyanka Chopra & Priety Zinta's websites are HACKABLE- A HackingAlert Exclusive !!





                                                       DISCLAIMER 
I (Abhinav singh) did not breach into privacy policies of the following websites
http://www.dhoni.org
http://www.iampriyankachopra.com
http://preityzinta.com


 The act was commited as an action to test the security measures of the website. HackingAlert and its author is not responsible for any damage.

----------------------------------------------------------------------------------------------------------
NOTE - click on the images to view zoomed size.

I have been tracking several pakistani websites until recently i shifted my focus on Indian government and security websites .
Things were going good as and lots of loopholes were easy to find which was expected .
I mailed the flaws and received several patching and fixing replies .
Last night i shifted my gears to test the websites of few of the top Indian celebrities to see if they really care about anything beyond twitting .

I was definitely expecting good security measures but to my surprise it was contrary .
In my test rampage I found out that even the websites of top Indian celebrities can be compromised easily .
It was really shocking for me and it took me not more than 5 hours to hack into the websites of India's 12 well known celebrities.
So it was a tough choice for me that who should feature on my blog . So I decided to pick up my own favourities and i came up with these three names -
M.S Dhoni (he got us world cup man !!)
Priyanka Chopra( My dream girl , i am in love with her)
Priety Zinta  ( my mom's fav actress)

The list could have been longer but i decided to stick to these three .
My first test came on Mahi's website which had the lamest of security measure and was very easy to hack .
(Special thanks to project made by Ankita,aishwarya,jyoti)

It was a cool website with a heavy flash on the home page .http://dhoni.org
 .

 The wwbsite is coded in asp.net . So I went out to check for the escape character flaw in the database and foud that the server threw error which clearly reports that it is not configured to render such escape symbols. This makes the website an easy target for sql injection attack.

this screenshot is of the error message thrown by the server.

So the database had a big flaw in it . i then tried out several sql injection strings to find out if it works and as expected , i was logged in with some id named as "prathapivs" .






Then I came to my favorite "Piggy Chops" , priyanka Chopra's website .
http://www.iampriyankachopra.com
Here the security was far better than that of Dhoni's . Atleast the most common flaws were fixed .
Here I used the Crome's sandbox to find a small security flaw in the source code of the website which is enough to bypass the authentication measures of the website .
In the following snapshot see the code at the bottom which shows the sandbox inspecting the different elements of the main page.



A similar type of flaw was also existing in Priety Zinta's website too .
The website is even not properly designed to make a proper valid authentication for the users .
The website had a simple implimentation of jsp and was filled with several flaws like apache server flaws etc .
The validation script was throwing exceptions each time you log.


Upon injecting scape character strings in the login form the website was behaving in a wired manner and showed a misconfigured page with an error message .
It was not at all difficult from that point to break into the website and gain authenticated privilage .
See the snapshots . When i tried to login with some random user id and password then i got an error message that the user doesnot exist .
But when i tried to inject strings into the login form then although it didnot log me in but it took me to a page that can easily be compromized.




This clearly shows that we are still not serious about our online security . The motive of this article is to show to my readers that security issue is as big as privacy . Simple authentication by signup is not enough to secure yourself . This is the case with more than 50% of Indian websites . Government and non-government sites are becoming easy target of hackers and attackers who are breaking our security services and gaining access to private national information . The Government should take serious measures to improve security measures and the users should be given proper information of how they can remain secure online and maintain privacy .

There is an urgent need to reform the web security structure of our country and make it as strong as that of America or China. With the heat up of web war between India and its neighbours(China and pakistan) it is very essential for the Government and individuals to take relevant security measures to prevent their online property .
I have reported about these security flaws to all these website administrators but have not yet recieved any response from them . This carelessness can prove to be heavy . HackingAlert is the whistle-blower
for them . It needs to be understood that our online security is now as important as our offline security .

Feel free to add your comments and sugestions.

DARKLORD!!

21 comments:

  1. @Radhika .. Ofcourse its possible.i will not take the risk of posting false information.

    ReplyDelete
  2. @abhinav

    i new dhoni,s website was hackable log ago .......prohack posted an article on this ...........a year back and more over its not the dhoni's official web site ...........no one use it now ..........

    but any way thanks for info on priety zintas and priyanka chopras website .............

    ReplyDelete
  3. @john : yea i found out after posting this that dhoni's site has been found vulnerable since many days..thnx alot..

    ReplyDelete
  4. your post is really awakening but it can cause some serious issues for you..

    ReplyDelete
  5. great post man
    http://techankit.com/

    ReplyDelete
  6. Hey man nice work....i think they are just normal SQL injections.........i have also tried and got success in hacking my college site.......

    ReplyDelete
  7. one more thing.as i have read your site stuffs they are very much impressive and effective.......can u tell me how can we hack an online gaming site..i have tried a lot but NO SUCCESS............

    ReplyDelete
  8. @saurabh : thanx a lot...the hack of dhoni's site is sql injection but the other two hacks require advanced escape character flaw finding in their databases. These sites are also vulnerable to xss attack via their comment boxes.

    ReplyDelete
  9. i have read about xss but not able to implement them can u explain me how exactly xss work.....i think they r scripts which we use.......

    ReplyDelete
  10. @Saurabh : its difficult to explain it here...you have to be completely aware of the javascript and jquery.U need to exploit the DOM model..u can contact me through mail...

    ReplyDelete
  11. Ya sure my email address is schopra37@yahoo.com just send me a mail on that...what really u want to explain thanks.........

    ReplyDelete
  12. can u tell me whats the profit in hacking Dhoni's site by sql injection? u can't do anything with the content...nor its possible to login with admin...also the link of priyanka chopra isn't working!!...and also u hvn't mentioned the query anywhere in this article!!!

    ReplyDelete
  13. @Mr Anonymous : Why the hell people only calculate profit and loss in hacking..and for ur information login with admin is also possible in dhoni's site(infact with dhoni's account too,it just requires a bit more of brain . The queries are not mentioned in the article for some reason . You would be glad to know that the link to priyanka chopra is working as good as anything..

    ReplyDelete
  14. hi.

    When do u cum online on this blog?
    any specific time?
    plz let me know...

    ReplyDelete
  15. Thats amazing!

    It's ridiculous how accessible the internet is if you know how to use it.

    Would love to try this out on other sites, like forums etc. to check to what extent it works, but don't know how. If you could make a tutorial / guide or; My hotmail is prayanthem@hotmail.com if you could send me a quick email about what flaws you look for, characteristics etc. I would be very thankful!

    ReplyDelete