So i was doing my routine security analysis on different sites here in naira then i saw a link someone posted.

i decided to pick the site up and analyse, turns the site has multiple bug...

its a financial site that gives loan...



the site stores its database backup in the root folder, i was able to download it and get the admin details and that of upto 56,000 users.

why cant a company as big as that invest in security??

now i can approve loans, and 56,000 users atm cards and bvn is being stored there too...

nairaland webmasters see for your self.

Modified: Company details removed

You self na hacker... whe you got there, why didn’t you leave in peace, you come download bank details �

Develop something for them, contact them maybe they'll buy you

maxweb:

Guy do you do training

Contact me via siggy

ediko5:


Bro, thumbs up for you, but i will really appreciate if you keep the financial information you have as a confidential information.

Don't compromise with scammers or used it for any scam intend.

I've purchased video tutorial @ Udemy For Website Security/Hacking, i'm yet to commence the lecture. I want to have you as a mentor. Can you drop your WhatsApp contact.

I won't compromise bro...I will contact them tonight and let them know what to do about it..

My own details is even there (including bvn )..cos I registered as a user to also carry out proper analysis...

It's a big security issue that needs to be corrected immediately!

Ire2:
.

Omoh how far. How e dey be? You fit give me just one person details?

Haba...fear God at least!!

I only posted it here so webmasters can see the importance of security.

They might even arrest the web developers of that site when I contact the company

This is serious. You must be a hacker.

well, we all are curious at times, its the most desirable threat of a hacker , i understand your curiosity led to your recon and vulnerability analysis of the site but active exploitation could lead to a serious case bro , i had being a victim once when i passively did a recon without permission ,knowing you to be a professional, i trust you to take the right steps to bring it to their notice and avoid persecution .

and i suggest you withold their identity as there are very good bad guys here too that might want to go after those juicy data

Wizdeen:
well, we all are curious at times, its the most desirable threat of a hacker , i understand your curiosity led to your recon and vulnerability analysis of the site but active exploitation could lead to a serious case bro , i had being a victim once when i passively did a recon without permission ,knowing you to be a professional, i trust you to take the right steps to bring it to their notice and avoid persecution .

Was almost arrested at asaba when I reported a case of web vulnerability to a government website...they told me to come that they have a Job For me...I went there, met the gateman and explained myself!!
Gateman pointed at a hilux parking inside...then told me it was me they were waiting for

I didn't spend extra 2 seconds there at that moment...

This our job is very risky...

Hey, do you want a coverage of this vulnerability on our blog with credit to you Don't see any risks there, it's a normal thing in the IT world, so long as you didn't steal the information, just reporting a bug!

questechie:
Hey, do you want a coverage of this vulnerability on our blog with credit to you Don't see any risks there, it's a normal thing in the IT world, so long as you didn't steal the information, just reporting a bug!

Ofcos no problem

This is very wrong...if you had good intentions you wouldnt have posted the company name in a public domain like this...You could have contacted them via email or any other channel.You are not only exposing them you are giving other hackers insight into exploiting the site while killing the organisations brand...Theres a better way to manage sensitive stuff like this...

dobsava:
This is very wrong...if you had good intentions you wouldnt have posted the company name in a public domain like this...You could have contacted them via email or any other channel.You are not only exposing them you are giving other hackers insight into exploiting the site while killing the organisations brand...Theres a better way to manage sensitive stuff like this...

Alright I wil take down this post

Thats very noble of you...If you are into Website hardening and website security analysis.Kindly contact me via this email dobsava@gmail.com.

Weldone Bro please can you inbox me your contact want to learn ethical hacking too...or could you recommend a good institute where i can learn one. Also you are aware the website name is still showing in the user quoted comments...Even after hiding the business name...I think its safer to delete this post.But reply me first lol!!!

Cyberleets:

Alright I wil take down this post

hitswitches:
Weldone Bro please can you inbox me your contact want to learn ethical hacking too...or could you recommend a good institute where i can learn one. Also you are aware the website name is still showing in the user quoted comments...Even after hiding the business name...I think its safer to delete this post.But reply me first lol!!!

U can purchase courses from udemy...(paid)
Or use YouTube videos... (free)
Or contact me for lectures (paid)

Oya share contact naaa

Cyberleets:


U can purchase courses from udemy...(paid)
Or use YouTube videos... (free)
Or contact me for lectures (paid)

hitswitches:
Oya share contact naaa

Check signature

Cyberleets:


I won't compromise bro...I will contact them tonight and let them know what to do about it..

My own details is even there (including bvn )..cos I registered as a user to also carry out proper analysis...

It's a big security issue that needs to be corrected immediately!

Bro that reminds me. I had this argument with a friend that if a person't BVN is exposed to others, it possess no security threat but he said it's a big threat. Can you tell me how it is a threat?

ediko5:


Bro that reminds me. I had this argument with a friend that if a person't BVN is exposed to others, it possess no security threat but he said it's a big threat. Can you tell me how it is a threat?

It's a security stuff u don't discuss in public...