Saturday, 11 May 2019

Bank Vulnerability : Accessing Account Information of Other Users One in the Top 5 Private Bank Vulnerability -

"Saga Of "One of the Top 5 Private Bank Vulnerability - Accessing Account Information of Other Users

This disclosure is regarding a vulnerability which left Remain Open Till 5 Months Even after a Reporting to Bank Officials. God known wether this was actively exploited or not but that was something serious which bank should take care but they did not till 10th May I asked them again about the status.

I have found on "One of the Top 5 Bank" iPad Version application end of the last year Nov 23rd 2018 which is fixed on  10th May 2019.

Saturday, 24 November 2018

Indian Mutual Fund Customer Data Is On Risk | Mutual Funds Vulnerability

Indian Mutual Fund Customer Data Is On Risk | Mutual Funds Vulnerability

Mutual Funds in India is growing today and most of the people are investing some part of income for a better future and creating a good wealth through SIP and LumpSum. In India we have around 34 AMCs out there. While Investing users need to submit their data ex. Name, Email, Address, PAN, Aadhar Number etc. details to AMCs for KYC process. Having those kind of Critical Details of customers can be useful for Cyber Criminals to get their hands on it for fraud and other criminal activities.

Friday, 29 June 2018

cPanel WebDisk Android App 4.0 : Backup Vulnerability

cPanel WebDisk Android App 4.0 : Backup Vulnerability

Hello folks,

This vulnerability is regarding an Insecure Data Storage & Security Miss-Congiguration, which can be achieve using Android Backup Functionality.

We all know that many of the mobile application stored user credentials or any sensitive data into device itself as clear text format. which ideally not a good practice.

But many of us might know that to access that data we need root privileges or require some special conditions like debugging to be enable. So still if the mobile application is storing sensitive data in clear text its not an issues. Many Security Teams & Bug Bounty Programs Specially exclude this kind of vulnerability where Root/JailBroken conditions required to exploit a vulnerability.

Tuesday, 26 September 2017

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss,

I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deployed for login attempts on their IMAP Authentication.

Means user can perform multiple attempts on their IMAP Service, Which is responsible to access yandex mail on other accounts.Just like others.

Like gmail users can import yandex emails(Account) using IMAP Authentication.