Full Disclosure mailing list archives
Re: Hindustan Times epaper Server Hacked
From: webDEViL <w3bd3vil () gmail com>
Date: Mon, 10 Aug 2009 22:50:40 +0300
Maa Ki Kirkiri Congrats to Sky for finding "architectural flaws" in a paper which costs Rs 2.50. Wow, thanks! you saved me $1.5 per month. I owe you one! ;) Btw, my local area library will get me HT papers dated before 2004. If you are against HT "looting" people, why the hell ask them to contact you to correct the "flaws"? Hypocrite "I would like to dedicate this hack towards Club Calvin @ http://www.clubcalv.in and all cute kids" Very Pedo...hahaha wD On Sun, Aug 9, 2009 at 8:56 AM, Sky <whitematrix () gmail com> wrote:
Hindustan Times epaper Server Hacked http://sky.net.in/hindustan-times-epaper-server-hacked/ Hindustan Times (HT) is India’s leading newspaper, published since 1924 with roots in the independence movement. In 2008, the newspaper reported that with a (circulation of over 1.14 million) ranking them as the third largest circulatory daily English Newspaper in India. The Mumbai edition was launched on 14 July 2005. HT has a readership of (6.6 million) ranking them as the second most widely read English Newspaper after Times of India. (Source: Wikipedia article on Hindustan Times) - http://en.wikipedia.org/wiki/Hindustan_Times HindustanTimes + Hindustan epaper Server Hacked http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UNhLLVYI/AAAAAAAAASM/JY9bc67HV14/s800/hindustan_times_hacked.jpg Why was Hindustan Times (HT) epaper Server Hacked ? Many people think that Hindustan Times (HT) (English Edition) + Hindustan (Hindi Edition) is available on the internet free of cost, HT Media has made it compulsory to register on their website in order to read the daily online edition of their published newspapers, on completion of registration HT Media provides you instant access to read daily edition, the CATCH is – you can only read the daily edition + past seven days editions (from the current date) as a free user, whileas if you wanna read any edition beyond seven days, you will have to pay a huge (rip off) amount to HT Media (in the name of digital archive subscription) Registration Information Collected by HindustanTimes http://lh6.ggpht.com/_gbWPSul_tCM/Sn5WIrsZxcI/AAAAAAAAASs/Lc6NaQzxEfk/s800/HT_registration.jpg Free HindustanTimes Editions http://lh6.ggpht.com/_gbWPSul_tCM/Sn5UN35Yx5I/AAAAAAAAASU/6THfLaMu00M/s800/HT_free_editions.jpg Restricted Access to HindustanTimes epaper Archives http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UN5umsJI/AAAAAAAAASY/5_SfNzOEm7w/s800/HT_newspaper_subscribe.jpg Archive Subscription Charges for HindustanTimes is a total Rip Off http://lh4.ggpht.com/_gbWPSul_tCM/Sn5ViIwx2aI/AAAAAAAAASo/6TMgKDuc6Vg/s800/HT_archive_charges.jpg As a hacker, i think its not fair (for anyone) to loot common people and sell (publicly gained) information in such a way, so i decided to peek inside the server and find some bugs / architectural flaws which would allow me to access past newspaper (Images / PDF) editions for free Within a couple of hours, i managed to find some bugs / architectural flaws (& vulnerabilities) which gave out free access to the past (Images / PDF) newspaper editions Calvin and Hobbes publishing error I used to search the newspaper (HT hard copy) every morning for technology related news (hoping any Indian journalist must have written some piece) that went on for like weeks and then i started reading Calvin and Hobbes (the comic strip) every day published in HT Cafe On 2nd / 4th / 9th June, Hindustan Times (HT) published the same Calvin and Hobbes strip, how should i react against this publishing error by Hindustan Times, as a fan of Calvin and Hobbes, i expect new comic strip every day Checkout the exact same Calvin and Hobbes strip published thrice on various days in the single month of June (2009) 2nd June http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/02/538/02_06_2009_538_013.jpg 9th June http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/09/538/09_06_2009_538_002.jpg 4th June http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/04/538/04_06_2009_538_006.jpg Informing the privileged authorities On 10th July 2009, i informed the editor and other top most authorities @ HindustanTimes via email regarding the serious bugs / flaws (& vulnerabilities) on their ePaper Server which can be exploited to compromise data and cause financial losses for HT Media My email to HindustanTimes http://lh5.ggpht.com/_gbWPSul_tCM/Sn5WJt3UKGI/AAAAAAAAAS0/KOnhjTtBNnk/s800/my_email_hindustan_times.jpg Rashmi Chugh's reply to me http://lh4.ggpht.com/_gbWPSul_tCM/Sn5W9mSD0pI/AAAAAAAAATI/O5hazb5IIY4/s800/rashmi_livemint_reply.jpg Although i received a reply from Rashmi Chugh (Business Head and Publisher, LIVEMINT) within 3 minutes, i waited for 24 hours to receive other recipients reply (as i wanted to know what they thought about the issue) but sadly no one replied back except Rashmi Chugh, so i sent her a reply the other day My reply to Rashmi Chugh, LIVEMINT http://lh3.ggpht.com/_gbWPSul_tCM/Sn5WNEiwmRI/AAAAAAAAAS8/F4K3XhMWLyc/s800/my_reply_rashmi_chugh.jpg After sending my reply to to Rashmi Chugh, i haven’t received any responses (since 29 days) from any of the authorities / employees working for HindustanTimes I have been using these architectural flaws for sometime to gain access to past editions of newspapers / magazines / supplements published by HT Media, i believe information taken from the people (especially newspapers) should be free and accessible to everyone The bugs / architectural flaws (& vulnerabilities) found by me still exists and works actively when used on the server, this shows that they are not interested (or don’t care) anymore to fix it, which makes me post the full disclosure information on my blog for (free access to previous epaper editions) Follow the below steps to gain free access to past (online) editions without subscribing to the archives * Proceed to the HindustanTimes – ePaper Registration URL @ http://epaper.hindustantimes.com/registernew.aspx * Fill in only the essential fields required (for registration) such as (any) email ID, name, password, address, city, state, zip By default the country (field) option value (txtCntry) is set to Albania, whileas it should be India – at least show some patriotism towards our country * After you complete the registration, you will be presented with Registration Approval without Verification is a Vulnerability in HindustanTimes http://lh6.ggpht.com/_gbWPSul_tCM/Sn5UN8jQlYI/AAAAAAAAASc/boEUb_YSzkg/s800/HT_reg_success.jpg Once the registration process is completed, the email ID (used during registration) will be activated instantly by Pressmart (the automated system used by HT Media) without any welcome / verification email to the inbox, which would allow anyone to use any email ID (during registration) without being detected by the real email ID owner, which in itself poses a security risk (making it a vulnerability) The implementation / usage of verifying the email ID (used during the registration) with a random activation link to the inbox should resolve this issue (which HT Media currently doesn’t) Its possible that such facilities might be already existing within Pressmart (the automated system used by HT Media) and the Webmaster didn’t feel like activating it to save time and increase more registrations on their epaper website in order to retrieve the users information (filled during the registration) for their internal marketing / research purposes or to increase their newspaper ranking * Proceed to the Login Page @ http://epaper.hindustantimes.com/Login.aspx * Enter the email ID and password, select any edition from below and paste the URL into your address bar (to view the past editions in Image / PDF format for free) In the URLs below, after the text (pg2=) first value is the date / second is the month / third is the year / fourth is the page number English Editions – Hindustan Times (PDF Format) * Mumbai Edition http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTMumbai&p2=12_06_2009_001.pdf * Delhi Edition http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web&p2=21_05_2009_001.pdf * Chandigarh Edition http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTPunjab&p2=19_06_2009_001.pdf Hindi Editions – Hindustan (PDF Format) * Delhi Edition http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web&p2=29_05_2009_001.pdf * Kanpur Edition http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web/HTKanpur&p2=21_06_2009_001.pdf * Patna Edition http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web/HTPatna&p2=26_05_2009_001.pdf * Lucknow Edition http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web/HTLucknow&p2=24_05_2009_001.pdf Hindustan Times (HT) Brunch Magazine (English) (PDF Format) * Mumbai Edition (Published Only On Sundays) http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTMumbai&p2=31_05_2009_321.pdf Hindustan Times (HT) Cafe (English) (PDF Format) * Mumbai Edition (Daily Supplement with HT Mumbai – English Edition) http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTMumbai&p2=26_05_2009_531.pdf Accessing the past ePapers in Image Format If you would like to browse the past newspapers in image edition, then simply change the values according to your choice in the below URL and retrieve it from the server The variable format is / Page / year / month / date / date_month_year_pageno.jpg / Page / year / month / date / date_month_year_pageno_part.jpg Hindustan Times – 31st December 2008 – Main Edition (English) – Mumbai http://epaper.hindustantimes.com/Web/HTMumbai/Page/2008/12/31/31_12_2008_001.jpg HT Cafe (English) – 26th January 2009 – Hindustan Times – Mumbai http://epaper.hindustantimes.com/Web/HTMumbai/Page/2009/01/26/26_01_2009_531.jpg HT Brunch – Magazine (English) – 31st May 2009 – Hindustan Times – Mumbai http://epaper.hindustantimes.com/Web/HTMumbai/Page/2009/05/31/31_05_2009_321.jpg The automated system Hackable Magazine Publishing Software http://lh6.ggpht.com/_gbWPSul_tCM/Sn5W9ujFvkI/AAAAAAAAATE/Xg54_u9W2vQ/s800/pressmart.jpg Hindustan Times epaper webportal is powered by Pressmart, which provides electronic publishing software (& digital publishing solutions) to various newspaper publishers across the world, if i had more time to work then i would have surely dug out more bugs / architectural flaws (& vulnerabilities) within Pressmart softwares but the fact is (i don’t find them interesting enough) Pressmart is a digital publishing service for newspapers, magazines, journals, catalogs and practically any print publication. We help publications deliver their print content on the new media – covering the entire breadth of web, mobile, podcast, RSS, social networking sites and search engines, with integrated revenue and cost-saving capabilities. Beyond delivery, Pressmart help publications monetize their digital edition through subscriptions and advertisements. Our service platform is eCommerce and advertising ready to generate revenue streams instantly. It includes all the components up to the monetization stage after the pre-press pages are prepared. All the publication has to do is supply their pre-press pages and Pressmart takes care of the rest. Source: Pressmart Official Website - http://www.pressmart.com/eedition.html Internet explorer sucks HindustanTimes is coded for Internet Explorer Compatibility which Sucks http://lh5.ggpht.com/_gbWPSul_tCM/Sn5WJHT68wI/AAAAAAAAASw/pvOSLmr6UeQ/s800/internet_explorer_sucks.jpg Hindustan Times website + ePaper portal says (Site best viewed in Microsoft Internet Explorer 5.5+ SP1 in 800×600 & 1024×768 resolution) Click here to download the latest version of internet explorer I would advise Hindustan Times to download / use Firefox and some other open source tools / codings for their website + ePaper portal instead of stuffing it with junk / heavy / unwanted codings, try to keep it clean / clear / simple Internet Explorer Sucks http://lh3.ggpht.com/_gbWPSul_tCM/Sn5dF1sxLtI/AAAAAAAAATs/g93iLoFd-3I/s800/internet_explorer_sucks.jpg Dedications I would like to dedicate this hack towards Club Calvin @ http://www.clubcalv.in and all cute kids I love you Firefox <3 / thank you (Firefox) for being my companion during my pen tests……… I love Mozilla FireFox http://lh3.ggpht.com/_gbWPSul_tCM/Sn5X-A8gyWI/AAAAAAAAATQ/5kI9IeHLexA/s800/i_love_mozilla_firefox.jpg -- Sky http://sky.net.in http://twitter.com/skycu ============================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Hindustan Times epaper Server Hacked Sky (Aug 10)
- Re: Hindustan Times epaper Server Hacked T Biehn (Aug 10)
- Re: Hindustan Times epaper Server Hacked Harry Behrens (Aug 11)
- Re: Hindustan Times epaper Server Hacked webDEViL (Aug 10)
- Re: Hindustan Times epaper Server Hacked T Biehn (Aug 10)