dna tracked down Mak Man, and he's agreed to let us use his name. Here's Mukarram Khalid from Lahore.
White hat hacker Mak Man has been in the news since Thursday for infiltrating Gaana.com's website and proving it was possible to not only steal user data, but also tamper with the portal itself. Mak Man says when he found the loophole, he tried bringing it to the attention of the site's moderators, but was largely ignored. Annoyed, Mak Man set out to prove that the flaw could be exploited.
dna tracked down Mak Man, and he's agreed to let us use his name. Here's Mukarram Khalid from Lahore.
So how exactly did Khalid gain access to Gaana.com's servers? He says the vulnerability was SQL injection. Simply put, it's a bug in the website's code that occurs when an input parameter from the client side has not been properly sanitised, allowing a hacker to execute SQL (Structured Query Language) code at the website's back-end DBMS (Database Management System).
Let's go over that again. Take, for example, a login page on a website. The form on that page allows you to input data, which the website then confirms is within certain parameters (like making sure your password matches). But if that bit of the website's code isn't properly written and the fields aren't set up to accept validated data, the form doesn't block you from inputting something other than your name or password. A hacker can use that to send their own SQL request directly to the website's database, potentially giving them access to all the data stored therein.
"In this particular case (Gaana.com), there was a user table in the database which had almost 12 million records. This table had all the usernames, email addresses, passwords (MD5 encrypted), date of birth, Facebook IDs, Twitter IDs and other financial information," said Khalid, in an email to us.
While he claims he didn't steal or download any of the information, Khalid says it was easily within his grasp, although it would've taken a few days given the sheer quantity.
And his efforts seem to have paid off. Times Internet CEO Satyan Gajwani came out on social media, owning up for the goof and thanking the then anonymous Mak Man for his efforts. The hole has since been patched, and Gaana.com was offline for a few hours last evening as they carried out extensive diagnostic tests to uncover any further flaws. At Gajwani's request, Khalid also took down the script he had hosted on his website.
How to protect data
Never use the same password for multiple online accounts. It might be tedious to remember them all, but it's better to have one compromised login than all of them.
Don't click on unknown links or URLs while online. That one should be obvious, but it needs to be stated again and again. Keep your system and your antivirus software up to date.
Make sure that when you're entering your financial details into any online portal, it's a legitimate organisation, and one you can trust. If there's even a shadow of a doubt, stay away from it. Where possible, elect to not save credit or debit card details.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}