So I was just pen-testing my applications when I stumbled accross a Nairaland tab I opened a while ago on my browser. A thought popped into my head, "hey, why don't you give exploiting NL a shot"....I was like, hell no..their connection isn't SSL encrypted but will probably be TLS encrypted...but, unfortunately I was curious and had to find out.

I guess NL was built either with Python or PHP or a combination of both languages...the app itself is safe from the commonest of attacks like XSS, CSRF, SQL Injection...etc that doesn't mean NL can't be hacked...the security in place just makes it difficult.

I switched to my Kali OS workspace, did one or two things and after much trial by error I as able to carry out advanced stealth attacks which left no traces.

I'm not going to discuss on what I did or how I did it, I'm just letting you know that until NL steps up it's security...your data/account is NOT safe.

To Seun, I didn't save, store, transfer or edit any data I intercepted, so your data is safe at least till someone more ambitious and desperate than me attacks. If you want to share the details of the pen-test, send me a DM and I'd reply with full information and steps to reproduce the results and find the Loophole.

To laymen:
What this means in one sentence is:
If you reply to this thread or carry out any (POST, PATCH, PUT, GET) action on NL while I'm on the inside, I can login to your account. (You know what that means right?).....but I won't, so feel free to reply.

And Seun, I must not get banned!

Okay login and thief my BVN and ATM card numbers. You better go hack bet9ja or 1960bet make you share us money.

Teach me your hacking skills and watch me do wonder.

fuckerstard:
Okay login and thief my BVN and ATM card numbers. You better go hack bet9ja or 1960bet make you share us money.

Lol, hacking those sites isn't impossible.... it's just more difficult and expensive, I may need close to/more than a terabyte of hardware and a RAM >8GB (considering all the firewalls) and probably close to/more than a month(s) to successfully hack that caliber of website. So, basically, except I have a very good reason to waste my money and time....I ain't pulling it off.

Even my own small website sef, I don buy SSL padlock put for am. But I am not done with the security measures, you can contact me via support@startup.com to continue jare.
where startup.com is the name of my domain - since my domain has been flagged as VERY DANGEROUS (code RED).

dhtml81:
Even my own small website sef, I don buy SSL padlock put for am. But I am not done with the security measures, you can contact me via support@startup.com to continue jare.
where startup.com is the name of my domain - since my domain has been flagged as VERY DANGEROUS (code RED).

hahahahahahha

fuckerstard:
Okay login and thief my BVN and ATM card numbers. You better go hack bet9ja or 1960bet make you share us money.

Teach me your hacking skills and watch me do wonder.

You do know that even those websites don't store card details right....? It's amazing the number of people, even hackers that don't know this

Lol, I've seen a lot of hackers get so disappointed when they hack a huge website and find absolutely NOTHING stealable .

for those that are in learning hacking and linux, join this whatsapp group https:///8gVmy6yrVPJ1Vgjp6XvinF

The truth is nothing is unhackable.... Most especially websites. Itz just that nobody has had any reason to hack it yet.

FincoApps:


You do know that even those websites don't store card details right....? It's amazing the number of people, even hackers that don't know this

Lol, I've seen a lot of hackers get so disappointed when they hack a huge website and find absolutely NOTHING stealable .

True, but not all websites. Some lie about this and keep a very good portion of your details. For example: GoDaddy, how do you think they remember all of your card information and allow you to make payment without entering card details for life (they operate like a bank themselves and have the permission to do this). It is funny you don't know about this.

If Third party sites don't even store credit card details then they must be stored somewhere right?...everything is on the cloud these days and CC's are easily hijacked.

stop ranting kid. you probably know nothing about hacking. nairaland was never hacked. the host got hacked and through it, the hacker deleted nairaland's data.

yahoofak:
stop ranting kid. you probably know nothing about hacking. nairaland was never hacked. the host got hacked and through it, the hacker deleted nairaland's data.

All what the op said doesn't make sense to me

yahoofak:
stop ranting kid. you probably know nothing about hacking. nairaland was never hacked. the host got hacked and through it, the hacker deleted nairaland's data.

I don't know why you guys find it difficult to be polite.

I'm not a great hacker but one of the methods I tried works and it's what I'm talking about here..I don't need to even know what I'm saying for Nairaland to take me serious, it's very simple. I just didn't want to mention what I did or how I hijacked sessions.

michaelwilli:

All what the op said doesn't make sense to me

Why is it difficult to understand?
Is the OP not plain enough..
I guess I will just delete this thread instead because you guys don't even understand the essence of security. If I posted this on Twitter I would have been called up to recreate the hack and show the loop hole. I guess security is not much of a big deal on here.

yahoofak:
stop ranting kid. you probably know nothing about hacking. nairaland was never hacked. the host got hacked and through it, the hacker deleted nairaland's data.

I didn't even read through your post at first... reading through the second time I discovered how stupid (yes I'm being rude) you are to think you know a thing about hacking.

There are different ways a website can be hacked, the extent of damage of the method I attempted won't give me access to Nairaland's files talkless of deleting it's data or database all it does is it gives me access to user accounts which means I can carry out scam attacks on other users. Have you ever heard of Session hijacking or Man In The Middle attacks? Wise up sissy!

DanielTheGeek:
To laymen:
What this means in one sentence is:
If you reply to this thread or carry out any (POST, PATCH, PUT, GET) action on NL while I'm on the inside, I can login to your account. (You know what that means right?).....but I won't, so feel free to reply.

And Seun, I must not get banned!

you're a toothless script kiddy. that free vulnerability scanner you're using is fooling you.

hack my account to proof, i give you full permission

Olyboy16:


you're a toothless script kiddy. that free vulnerability scanner you're using is fooling you.

hack my account to proof, i give you full permission

Awesome, what I've been waiting for since!
Give me some time. Away from my PC at the moment. Will be back, If successful I will post with your account on this board saying "DanielTheGeek hacked me"

Olyboy16:


you're a toothless script kiddy. that free vulnerability scanner you're using is fooling you.

hack my account to proof, i give you full permission

However the developers of this site could have added an extra security layer, so if I fail I will post pictures of the actual hacking process or maybe even a video to proof I never made use of a "free vulnerability scanner"

DanielTheGeek:


True, but not all websites. Some lie about this and keep a very good portion of your details. For example: GoDaddy, how do you think they remember all of your card information and allow you to make payment without entering card details for life (they operate like a bank themselves and have the permission to do this). It is funny you don't know about this.

If Third party sites don't even store credit card details then they must be stored somewhere right?...everything is on the cloud these days and CC's are easily hijacked.

smh....
Ever heard of "CARD TOKENIZATION" ?
That's the term here

Websites like GoDaddy store a card token on their servers and that's what they use to charge your card. The card details are NOT stored on their server, they still use a 3rd party service.... But you won't know that cause it looks like they still have your details... The security requirements to store cards can only be met by some companies... Probably Facebook has such facility but not sure...

So even if GoDaddy was hacked and the card tokens are stolen, it would still be impossible to retrieve the card details.



Ever seen "Verified by Visa" ? That Visa's 3D Auth..... it means the website was actually reviewed.

You are right, malicious people might lie about it but certainly not a company like GoDaddy.... They would have been seized by now

FincoApps:


smh....
Ever heard of "CARD TOKENIZATION" ?
That's the term here

Websites like GoDaddy store a card token on their servers and that's what they use to charge your card. The card details are NOT stored on their server, they still use a 3rd party service.... But you won't know that cause it looks like they still have your details... The security requirements to store cards can only be met by some companies... Probably Facebook has such facility but not sure...

So even if GoDaddy was hacked and the card tokens are stolen, it would still be impossible to retrieve the card details.



Ever seen "Verified by Visa" ? That Visa's 3D Auth..... it means the website was actually reviewed.

You are right, malicious people might lie about it but certainly not a company like GoDaddy.... They would have been seized by now

I understand you bro but I'm sure GoDaddy is certified to store card details while Facebook may not be.

Talking about Card Tokenization, it depends actually on how the website developers "tokenize" the data. If it can be decoded and the data is stored as a cookie then what's the point? Because sites that are not certified to make direct transactions with user accounts have to store info via cookies.
GoDaddy placed a lain on my account directly once in the past and I confirmed from my bank....I couldn't withdraw anything from my account until GoDaddy freed my account.

FincoApps:


smh....
Ever heard of "CARD TOKENIZATION" ?
That's the term here

Websites like GoDaddy store a card token on their servers and that's what they use to charge your card. The card details are NOT stored on their server, they still use a 3rd party service.... But you won't know that cause it looks like they still have your details... The security requirements to store cards can only be met by some companies... Probably Facebook has such facility but not sure...

So even if GoDaddy was hacked and the card tokens are stolen, it would still be impossible to retrieve the card details.



Ever seen "Verified by Visa" ? That Visa's 3D Auth..... it means the website was actually reviewed.

You are right, malicious people might lie about it but certainly not a company like GoDaddy.... They would have been seized by now

Freelancer.com is compliant and has permissions to store card details on any of it's servers (escrow.com). They even own an escrow company. But tokenization doesn't take away the possibility of data being hijacked, just makes it difficult cos of the hashing mechanisms involved but makes it tougher.
Who says you can't decode a password hashed using BCRYPT? Through PHP > password_hash() .....?
It's just very difficult...but not impossible.
Or better still if it seems too difficult, then maybe a man-in-the-middle attack can be given a try...if it doesn't still work then maybe social engineering can.

DanielTheGeek:


I didn't even read through your post at first... reading through the second time I discovered how stupid (yes I'm being rude) you are to think you know a thing about hacking.

There are different ways a website can be hacked, the extent of damage of the method I attempted won't give me access to Nairaland's files talkless of deleting it's data or database all it does is it gives me access to user accounts which means I can carry out scam attacks on other users. Have you ever heard of Session hijacking or Man In The Middle attacks? Wise up sissy!

stop ranting kid. you know nothing. you can't steal anybody's session token using javascript here. moreover, even if you succeeded in doing that, you can never access the account. if you knew anything about security in the first place, you would have known that the session tokens used on most sites including nairaland are hashed combination of the user's IP address, device, browser among others which you can't just guess all. grow up please. grow up!

yahoofak:
stop ranting kid. you know nothing. you can't steal anybody's session token using javascript here. moreover, even if you succeeded in doing that, you can never access the account. if you knew anything about security in the first place, you would have known that the session tokens used on most sites including nairaland are hashed combination of the user's IP address, device, browser among others which you can't just guess all. grow up please. grow up!

Christ, i just got maximum confirmation that you know nothing.

Who says i was using any web technology in the first place to carry out the attack?, Who said anything about using JavaScript, that will limit me to either a XSS or CSRF attack (that's all i can do with JS for hacking)...which is wayyy cheap to what i did.

yahoofak:
stop ranting kid. you know nothing. you can't steal anybody's session token using javascript here. moreover, even if you succeeded in doing that, you can never access the account. if you knew anything about security in the first place, you would have known that the session tokens used on most sites including nairaland are hashed combination of the user's IP address, device, browser among others which you can't just guess all. grow up please. grow up!

There are different kinds of attacks, i just sighted some to broaden your cerebral cortex...i didn't say i stole sessions with JavaScript, Open your eyes and brains next time.

Here are some more for your cerebral cortex to grab:
Eavesdropping. ...
Data Modification. ...
Identity Spoofing (IP Address Spoofing) ...
Password-Based Attacks. ...
Denial-of-Service Attack. ...
Man-in-the-Middle Attack. ...
Compromised-Key Attack. ...
Sniffer Attack.

DanielTheGeek:


Awesome, what I've been waiting for since!
Give me some time. Away from my PC at the moment. Will be back, If successful I will post with your account on this board saying "DanielTheGeek hacked me"

good!! get on with it already! too much talk without action on this board jawe

DanielTheGeek:


There are different kinds of attacks, i just sighted some to broaden your cerebral cortex...i didn't say i stole sessions with JavaScript, Open your eyes and brains next time.

Here are some more for your cerebral cortex to grab:
Eavesdropping. ...
Data Modification. ...
Identity Spoofing (IP Address Spoofing) ...
Password-Based Attacks. ...
Denial-of-Service Attack. ...
Man-in-the-Middle Attack. ...
Compromised-Key Attack. ...
Sniffer Attack.

shut up! boy. you know nothing about hacking. you are just another lamer who read theories on reddit and wikipedia.

DanielTheGeek:


I understand you bro but I'm sure GoDaddy is certified to store card details while Facebook may not be.

Talking about Card Tokenization, it depends actually on how the website developers "tokenize" the data. If it can be decoded and the data is stored as a cookie then what's the point? Because sites that are not certified to make direct transactions with user accounts have to store info via cookies.
GoDaddy placed a lain on my account directly once in the past and I confirmed from my bank....I couldn't withdraw anything from my account until GoDaddy freed my account.

Card Tokenization has NOTHING to do with encryption or hashing. That's another common mistake developers/hackers make. Card tokenization is more like representing your card details on a less secure server. This means that if I give you a sample card token for a Website, it would be completely useless to you because it's actually just random chars. It's not like your card details are hashed or encrypted to produce the token. There is no way to get the card details from a card token.

Check on difference between Card tokenization and encryption....

If you still think hacking a website and stealing the card tokens would give you access to the card details, I will suggest you read on tokenization more. Also, I could give you some card tokens and let's see if you can use it to get the card details.

DanielTheGeek:


Why is it difficult to understand?
Is the OP not plain enough..
I guess I will just delete this thread instead because you guys don't even understand the essence of security. If I posted this on Twitter I would have been called up to recreate the hack and show the loop hole. I guess security is not much of a big deal on here.

All u said don't add up

FincoApps:


Card Tokenization has NOTHING to do with encryption or hashing. That's another common mistake developers/hackers make. Card tokenization is more like representing your card details on a less secure server. This means that if I give you a sample card token for a Website, it would be completely useless to you because it's actually just random chars. It's not like your card details are hashed or encrypted to produce the token. There is no way to get the card details from a card token.

Check on difference between Card tokenization and encryption....

If you still think hacking a website and stealing the card tokens would give you access to the card details, I will suggest you read on tokenization more. Also, I could give you some card tokens and let's see if you can use it to get the card details.

I'm understanding you better now, but while card Tokenization and encryption aren't related the "random chars" have to be generated using some hashing algorithms. It's believed that anything that can be encrypted can be decrypted but anything hashed can't be unhashed....
Thanks for pointing this out, I understand better now. But if you were paid by a security firm to have a bank customers account? How would you go about it? Social engineering?

And kudos to the person that tried carrying out an XSS attack on one of the websites in my signature...I hope you're not disappointed it didn't work...:

http://www.example.com/malicious-code.js\x3e\x3c/script\x3e

DanielTheGeek:

I'm understanding you better now, but while card Tokenization and encryption aren't related the "random chars" have to be generated using some hashing algorithms. It's believed that anything that can be encrypted can be decrypted but anything hashed can't be unhashed....
But if you were paid by a security firm to have a bank customers account?

And kudos to the person that tried carrying out an XSS attack on one of the websites in my signature...I hope you're not disappointed it didn't work...:

http://www.example.com/malicious-code.js\x3e\x3c/script\x3e

xss? that was all you could detect? *grins* eh eh eh.
well, thank glo for their incompetence;
.
imagine me having full mtn 4G?
.
just see that as me saying hi and to caution your big mouth eh? .
.
its a wild world out here pal, not your localhost k?
.
an adage says "a silent fox will live longer and eat fatter than a roaring lion."

Olyboy16:

xss? that was all you could detect? *grins* eh eh eh.
well, thank glo for their incompetence;
.
imagine me having full mtn 4G?
.
just see that as me saying hi and to caution your big mouth eh? .
.
its a wild world out here pal, not your localhost k?
.
an adage says "a silent fox will live longer and eat fatter than a roaring lion."

Common shut up, number one rule as a hacker is to remain silent and create a back door.

DanielTheGeek:


Common shut up, number one rule as a hacker is to remain silent and create a back door.

normally i would be mad at you and reply you with heavy insults...but i won't, cos you're just a kid and being a child.
.
by the way i'm not your enemy either; that cms you're using is called question2answer written by scott.
the cms runs atleast 40 database queries on every question posted.
your site has atleast 50 deadly vulnerabilities, most of which exist in its core scripts e.g qa-user.php under your qa-include folder.
among the vulnerabilities is the ability to post a question without registeration or verification. several xss and post injection holes in the search script among others. also, some scripts in you qa-plugin/ domain are betraying you.
.
learn not to insult people on social media, especially when your full name and picture is available.
BTW kid, you only need a backdoor when you fear you may loose access!