Major Dhiraagu E-bill flaw!!!!
It has been brought to our attention that there is a major flaw with the dhiraagu e-bill system, where an ebill user can view other ebill users bill details... our good friend Jaaheen informed us of this issue, and of coz furnished us with the 'proof of concept'..
of coz jaaheen who discoverd this 'loophole' was kind enough to bring this to our attention and we have been informed that senior staff of dhiraagu has been duly notified of their 'misconfiguration' and hopefully should be working on a fix as we speak..
for the post by jaaheen plz refer to his post here. thanks again jaaheen.. for giving us a ring...
in the interest of all parties concerned, including the innocent customers of dhiraagu, who's private telephone records should of coz remain private, we will not be publishing a step by step guide on how to grab other customers details (this is easier than the 5 step ROL free internet) .... altho we do know this is possible and it works.. the screenshots below show the logs we were provided less any personally identifiable information to protect the identity of the customer...
and if we do publish, the how to step by step guide before they fix it.... well it would be immoral... some of us have a bit of morality left in us even if dhiraagu does not..... and we know that this is not a problem of the customers.. and they should be spared of any 'inconvinences'...
it is just appalling that such major flaws exist in the system... it would be easier to accept something like this if this took any skill in the dark arts of hacking, programming, and software engineering... but this is something a 15 year old kid could do... Dhiraagu should be taking more care in setting up services for their customers, and i feel that it is their responisibility to ensure that such records are kept safe an that... just a few weeks back there was the proxy server issue.. and now this.???.... god knows how many other loophole are there waiting to be discovered...
or even worse.. wat if some already know of such loopholes and are keepin those facts to themselves? wat then? wat if some psychotic ex-boy/girl friend is keeping tabs on you? wat if your competitors check up on who your clients are? the possibilities are endless.........who takes responsibilty? isnt dhiraagu responsible for protection of customers data?.... to put in all reasonable effort to protect their privacy? dosent seem like they are doing what they should....
the bills are jus from random number plucked off the air.. an have no connection to each other in any way.. plz dont ask how to do this.. we dont wanna say.. we want this fixed.. of coz.. we'll keep u updated on any issues...
oh on a personal note to dhiraagu... this must be wat's called " divine retribution"....
UPDATE 12/12/05 : E- bill is back online after been taken down for repair :)
--------------------------------------
Disclaimer: This post is strictly for educational purposes only.. specially dhiraagu's... the lesson here... take more care in setting up your system, be a lil less arrogant, for you are also like the rest of us... imperfect....the next person to discover your flaws might not be as helpful as jaaheen, or we have been in pointing it out and screaming for a fix. the least you could do is send a thank you note to jaaheen.. or maybe jaa too.. while ur at it for pointing such issues out... not reprimand them for pointing out problems and asking for them to be fixed. everyone else, dont try this at home, office, or in the loo. obviously we can't take any responsibility for who's actions we dont know and puleeease... why should we take responsibility for dhiraagu's mistakes...? so we don't do that either, plus we dont like responsibility too .....oh..since this was all created from a dream jaaheen had.. this might not even be real... there is a spoon? maybe was a spoon? there is no spoon?...watever... an leave your comment.. we love to read the comments and the last one abt ROL internet was jus overwhelming :).. thanks for the support.!
posted by Daadi @ 10:27 AM
17 Comments:
now now. the readers want to know how to do it. dont you? so for those of you wanting a little bit more info, this is an issue with the session variables, and you can do it by typing a.. err.. "hackish" url.
'hackish' LOL primary0 thats priceless... but ur right... :) u know wat im talkin abt... btw did u know abt this before?
yes. :)
heh..figures... :p
wonder how long they'll take to fix it.. they are prolly up an at it this moment...
lets see how this plays out...
fatty thanks very much for informing us how and efficient our main internet service provider is...anyway never trusted and liked their service before and i guess now with the new loops comming out very other day i might never will..but what to do there isnt much of a choice...but use dhiraagu dho...u know the saying "life sucks and so does dhi...." with all that they still want us to "KEEP IN TOUCH" ... fatty take their advice and keep in touch with their flaws so we know how what we are really dealing with cause most of us are not that much computer literate...ur doing a great work and really appreciate what u r doing the professionalism you are maintaining - udjat
Does this mean we can SUE DHIRAAGU for carelessly handling our personal information? What legal actions can us the customers take in retaliation against possible losses that we might have had and yet we do not know? Who knows who else knew about this? How do we know if you and me weren't affected by this? WHO WILL PAY FOR THIS?
i am sure dhiraagu has stuck up a few disclaimers in their terms of use waving off any responsibility for things like this.
but i'm also confident there are some things that they cant just wave off with a disclaimer.issues like this!
anybody wanna take a legal potshot at dhiraagu?
This is still working.
well unlike the ROL free internet thing, these Dhiraagu issues are exposing sensitive customer data, like the proxy bug exposing user activity and this ebill thing exposing customers call records. I wonder why they still have it up there running, they must have shut it down by now. Have they been notified? I think they should check this blog now and then.
Dhiraagu, please be nice and do not come out this time and say that there were no issues. If you do that, next time the people who find out such a thing will not be so nice as to do you favours.
well well.. what have we got here? flaw in the Dhiraagu e-bill system? woah! all this must've been created from that imaginative story i wrote.. LOL! :p
Dhiraagu will now, undoubtedly, be on their toes. i bet everyone wud concur that this really is a serious issue. as customers, PRIVACY does matter to us!
so dhiraagu, go get this fixed! we want improved services at low prices! we want our privacy! we dont need new music tunes while we wait five-minutes for your staff at 123 helpdesk to answer our calls!!!
cheers! :)
The ebill site cannot be accessed anymore. Not even to the login page. I guess they brought the site down to fix the problems.
Dhiraagu, what do you have to say bout the privacy of the customer's who's records are exposed due to this bug.
this was first discovered a long time ago by chopey ;) ...
Man we miss you on this, stop hacking jabir forums and shed some light in here. :)
if it was discovered ealier as u say... why wasnt it fixed?
or as usual was dhiraagu hoping that it wouldnt be brought to the spotlight
nobody bothered to notify them. they pay a shitload of money to foreign consultants and security specialists and all that sort of things. so why should any of us do the "analysis" for them? either way, seems like their money goes down the toilets.
one more thing. this is not the end of it. there are other major holes in their webhosting. i am aware of them. but i dont give a rat's ass.
not bad guys,
this is getting good. I wonder what the next hack will be?
I think that people should know about these things. Only then will a virtually monopolizing giant like Dhiraagu try to improve their service and pay more attn to customer privacy.
Well I’m just wondering if they would acknowledge that they have a flaw... I mean they still have their e-bill systems down, and calls to 123, they still insist that the flaw is not possible, “ hama yageen nubeleyne kan ehen meehehge bill eh” and the e-bill system is down for routine maintenance…. what a load of bullshit…
Anonymous is probably right.. maybe we shouldn’t notify Dhiraagu of these type of flaws… they don’t seem to appreciate it, much less even acknowledge their existence…
As a Dhiraagu customer, who frequently use their e-bill system, I find it extremely annoying that they have taken down this service without even a notice. In the least, they could have put-up a damn notice saying thay are repairing a technical fault on the e-bill system.
Well, it seems Dhiraagu does not give a damn about what customers think and how taking down their e-bill system without notice will affect the customers’ work.
Post a Comment
<< Home