Twitter
Advertisement

dnaWeb Exclusive: Gaana.com hacker reveals how he did it and what you need to do to stay safe

We got a chance to speak to Mak Man, the hacker that infiltrated Gaana.com and exposed a glaring vulnerability. Here's how he managed to accomplish the feat and here's what service providers--and you the user--can do to prevent such attacks

Latest News
article-main
FacebookTwitterWhatsappLinkedin

White hat hacker Mak Man has been in the news since yesterday for infiltrating Gaana.com's website and proving it was possible to not only steal user data, but also tamper with the website itself. As our article on the incident pointed out, Mak Man says that when he found the loophole, he tried bringing it to the attention of the site’s moderators, but was largely ignored. Annoyed, that a major service provider would be so lax about its security protocol, Mak Man set out to prove that the flaw could be exploited, putting all the user data on the Gaana.com servers in very real danger of being stolen.

We managed to track down Mak Man, and he’s agreed to let us use his name in this article, giving him a chance to do what he set out to do; draw attention to data security online, and how websites, and end users, can take preventive measures. Meet Mukarram Khalid from Lahore.

So how exactly did Khalid gain access to Gaana.com’s servers? He says the vulnerability was SQL injection. Simply put, it’s a bug in the website’s code that occurs when an input parameter from the client side has not been properly sanitised, allowing a hacker to execute SQL (Structured Query Language) code at the website’s back-end DBMS (Database Management System).

Let’s go over that again. Take, for example, a login page on a website. The form on that page allows you to input data, which the website then confirms is within certain parameters (like making sure your password matches). But if that bit of the website’s code isn’t properly written and the fields aren't set up to accept validated data, the form doesn’t block you from inputting something other than your name or password. A hacker can use that to send their own SQL request directly to the website’s database, potentially giving them access to all the data stored therein.

“In this particular case (Gaana.com), there was a user table in the database which had almost 12 million records. This table had all the usernames, email addresses, passwords (MD5 encrypted), date of birth, Facebook IDs, Twitter IDs and other financial information,” said Khalid, in an email to us. While he claims he didn’t steal or download any of the information, Khalid says it was easily within his grasp, although it would’ve taken a few days given the sheer quantity. He hosted the SQL script used in this case on a domain he owns: makman.tk. This script was coded to grab the information of a single user against a particular email address directly from the website database. I know what you’re thinking, and no, no one else was able to exploit this. Khalid says the script was posted in a very controlled Captcha environment, with the ability to ban IP addresses running automated bot scripts. Basically he did this to prove a point.

And his efforts seem to have paid off. Times Internet CEO Satyan Gajwani came out on social media, owning up for the goof and thanking the then anonymous Mak Man for his efforts. The hole has since been patched, and Gaana.com was offline for a few hours last evening as they carried out extensive diagnostic tests to uncover any further flaws. At Gajwani’s request, Khalid also took down the script he had hosted on his website.

But where do we go from here? It’s highly unlikely that the next hacker to exploit a similar flaw will be on the side of security, so what precautionary measures can (and should) websites take? Khalid lists some of the key ones here:

Every web application needs to ensure proper security in layers. One simple bug can lead to severe security issues. In this case, user passwords were encrypted as MD5 hashes, which Khalid claims are ineffective. “They should have used bcrypt. This flaw lead to another loophole. I was able to crack password of the administrator's account and gain access to the admin panel where I was able to edit/remove/add any feature on the website,” he adds.

First thing first, websites need to sanitise all user input by following secure coding practices. They also need to hire security professionals to conduct proper penetration testing. It’s never a wise idea to rely on the security of your program or website without even trying to find someone who can break into it. Preparation is key.

“Security is not a one-time thing, It has to be updated as per modern standards and these standards are getting better day by day,” Khalid emphasizes. Every large organization also needs to have a bug bounty program where users are rewarded for finding flaws in a website’s code. That way, you can crowdsource your security testing, in real-time, while providing people with motivation to report the loopholes rather than exploit them.

“If someone reports a security issue, it must be taken seriously and resolved as soon as possible,” Khalid reiterates. “It'll take some time to rectify the issue but, as I said, security is not a one time thing. It has to be maintained.”

So what about you? How does the end user, who most likely doesn’t know about the security flaws in an app, stay protected? Contrary to the saying, what you don't know CAN hurt you, but there’s at least a few things you can do to protect your data.
- Never use the same password for multiple online accounts. It might be tedious to remember them all, but it’s better to have one compromised login than all of them.
- Don’t click on unknown links or URLs while online. That one should be obvious, but it needs to be stated again and again. Keep your system and your antivirus software up to date.
- Make sure that when you're entering your financial details into any online portal, it's a legitimate organisation, and one you can trust. If there’s even a shadow of a doubt, stay away from it. Where possible, elect to not save credit or debit card details.

Mukarram Khalid aka Mak Man is a white hat hacker based in Lahore. All the information in this article is sourced directly from him.

Find your daily dose of news & explainers in your WhatsApp. Stay updated, Stay informed-  Follow DNA on WhatsApp.
Advertisement

Live tv

Advertisement
Advertisement