While your publications are slightly pretentious (who am I to talk?) I applaud your idealism in an age of rampant cynicism.
Don't log into any US Government systems looking to liberate secret UFO docs tho, that gets you extradited. A small suggestion, do not use a consistent pseudonym, post completely anonymously. It's difficult to keep the ego from making mistakes. -Travis On Sun, Aug 9, 2009 at 1:56 AM, Sky<[email protected]> wrote: > Hindustan Times epaper Server Hacked > http://sky.net.in/hindustan-times-epaper-server-hacked/ > > Hindustan Times (HT) is India’s leading newspaper, published since 1924 with > roots in the independence movement. In 2008, the newspaper reported that > with a (circulation of over 1.14 million) ranking them as the third largest > circulatory daily English Newspaper in India. The Mumbai edition was > launched on 14 July 2005. HT has a readership of (6.6 million) ranking them > as the second most widely read English Newspaper after Times of India. > (Source: Wikipedia article on Hindustan Times) - > http://en.wikipedia.org/wiki/Hindustan_Times > > HindustanTimes + Hindustan epaper Server Hacked > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UNhLLVYI/AAAAAAAAASM/JY9bc67HV14/s800/hindustan_times_hacked.jpg > > Why was Hindustan Times (HT) epaper Server Hacked ? > > Many people think that Hindustan Times (HT) (English Edition) + Hindustan > (Hindi Edition) is available on the internet free of cost, HT Media has made > it compulsory to register on their website in order to read the daily online > edition of their published newspapers, on completion of registration HT > Media provides you instant access to read daily edition, the CATCH is – you > can only read the daily edition + past seven days editions (from the current > date) as a free user, whileas if you wanna read any edition beyond seven > days, you will have to pay a huge (rip off) amount to HT Media (in the name > of digital archive subscription) > > > Registration Information Collected by HindustanTimes > http://lh6.ggpht.com/_gbWPSul_tCM/Sn5WIrsZxcI/AAAAAAAAASs/Lc6NaQzxEfk/s800/HT_registration.jpg > > Free HindustanTimes Editions > http://lh6.ggpht.com/_gbWPSul_tCM/Sn5UN35Yx5I/AAAAAAAAASU/6THfLaMu00M/s800/HT_free_editions.jpg > > Restricted Access to HindustanTimes epaper Archives > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UN5umsJI/AAAAAAAAASY/5_SfNzOEm7w/s800/HT_newspaper_subscribe.jpg > > Archive Subscription Charges for HindustanTimes is a total Rip Off > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5ViIwx2aI/AAAAAAAAASo/6TMgKDuc6Vg/s800/HT_archive_charges.jpg > > > As a hacker, i think its not fair (for anyone) to loot common people and > sell (publicly gained) information in such a way, so i decided to peek > inside the server and find some bugs / architectural flaws which would allow > me to access past newspaper (Images / PDF) editions for free > > Within a couple of hours, i managed to find some bugs / architectural flaws > (& vulnerabilities) which gave out free access to the past (Images / PDF) > newspaper editions > > Calvin and Hobbes publishing error > > I used to search the newspaper (HT hard copy) every morning for technology > related news (hoping any Indian journalist must have written some piece) > that went on for like weeks and then i started reading Calvin and Hobbes > (the comic strip) every day published in HT Cafe > > On 2nd / 4th / 9th June, Hindustan Times (HT) published the same Calvin and > Hobbes strip, how should i react against this publishing error by Hindustan > Times, as a fan of Calvin and Hobbes, i expect new comic strip every day > > Checkout the exact same Calvin and Hobbes strip published thrice on various > days in the single month of June (2009) > > 2nd June > > http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/02/538/02_06_2009_538_013.jpg > > 9th June > > http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/09/538/09_06_2009_538_002.jpg > > 4th June > > http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/04/538/04_06_2009_538_006.jpg > > Informing the privileged authorities > > On 10th July 2009, i informed the editor and other top most authorities @ > HindustanTimes via email regarding the serious bugs / flaws (& > vulnerabilities) on their ePaper Server which can be exploited to compromise > data and cause financial losses for HT Media > > My email to HindustanTimes > http://lh5.ggpht.com/_gbWPSul_tCM/Sn5WJt3UKGI/AAAAAAAAAS0/KOnhjTtBNnk/s800/my_email_hindustan_times.jpg > > Rashmi Chugh's reply to me > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5W9mSD0pI/AAAAAAAAATI/O5hazb5IIY4/s800/rashmi_livemint_reply.jpg > > Although i received a reply from Rashmi Chugh (Business Head and Publisher, > LIVEMINT) within 3 minutes, i waited for 24 hours to receive other > recipients reply (as i wanted to know what they thought about the issue) but > sadly no one replied back except Rashmi Chugh, so i sent her a reply the > other day > > My reply to Rashmi Chugh, LIVEMINT > http://lh3.ggpht.com/_gbWPSul_tCM/Sn5WNEiwmRI/AAAAAAAAAS8/F4K3XhMWLyc/s800/my_reply_rashmi_chugh.jpg > > After sending my reply to to Rashmi Chugh, i haven’t received any responses > (since 29 days) from any of the authorities / employees working for > HindustanTimes > > I have been using these architectural flaws for sometime to gain access to > past editions of newspapers / magazines / supplements published by HT Media, > i believe information taken from the people (especially newspapers) should > be free and accessible to everyone > > The bugs / architectural flaws (& vulnerabilities) found by me still exists > and works actively when used on the server, this shows that they are not > interested (or don’t care) anymore to fix it, which makes me post the full > disclosure information on my blog for (free access to previous epaper > editions) > > Follow the below steps to gain free access to past (online) editions without > subscribing to the archives > > * Proceed to the HindustanTimes – ePaper Registration URL @ > http://epaper.hindustantimes.com/registernew.aspx > > * Fill in only the essential fields required (for registration) such as > (any) email ID, name, password, address, city, state, zip > > By default the country (field) option value (txtCntry) is set to > Albania, whileas it should be India – at least show some patriotism towards > our country > > * After you complete the registration, you will be presented with > > Registration Approval without Verification is a Vulnerability in > HindustanTimes > > http://lh6.ggpht.com/_gbWPSul_tCM/Sn5UN8jQlYI/AAAAAAAAASc/boEUb_YSzkg/s800/HT_reg_success.jpg > > Once the registration process is completed, the email ID (used during > registration) will be activated instantly by Pressmart (the automated system > used by HT Media) without any welcome / verification email to the inbox, > which would allow anyone to use any email ID (during registration) without > being detected by the real email ID owner, which in itself poses a security > risk (making it a vulnerability) > > The implementation / usage of verifying the email ID (used during the > registration) with a random activation link to the inbox should resolve this > issue (which HT Media currently doesn’t) > > Its possible that such facilities might be already existing within > Pressmart (the automated system used by HT Media) and the Webmaster didn’t > feel like activating it to save time and increase more registrations on > their epaper website in order to retrieve the users information (filled > during the registration) for their internal marketing / research purposes or > to increase their newspaper ranking > > * Proceed to the Login Page @ > http://epaper.hindustantimes.com/Login.aspx > > * Enter the email ID and password, select any edition from below and > paste the URL into your address bar (to view the past editions in Image / > PDF format for free) > > In the URLs below, after the text (pg2=) first value is the date / > second is the month / third is the year / fourth is the page number > > English Editions – Hindustan Times (PDF Format) > > * Mumbai Edition > > > http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTMumbai&p2=12_06_2009_001.pdf > > * Delhi Edition > > > http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web&p2=21_05_2009_001.pdf > > * Chandigarh Edition > > > http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTPunjab&p2=19_06_2009_001.pdf > > Hindi Editions – Hindustan (PDF Format) > > * Delhi Edition > > > http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web&p2=29_05_2009_001.pdf > > * Kanpur Edition > > > http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web/HTKanpur&p2=21_06_2009_001.pdf > > * Patna Edition > > > http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web/HTPatna&p2=26_05_2009_001.pdf > > * Lucknow Edition > > > http://epaper.hindustandainik.com/PDFHandler.ashx?p1=Web/HTLucknow&p2=24_05_2009_001.pdf > > Hindustan Times (HT) Brunch Magazine (English) (PDF Format) > > * Mumbai Edition (Published Only On Sundays) > > > http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTMumbai&p2=31_05_2009_321.pdf > > Hindustan Times (HT) Cafe (English) (PDF Format) > > * Mumbai Edition (Daily Supplement with HT Mumbai – English Edition) > > > http://epaper.hindustantimes.com/PDFHandler.ashx?p1=Web/HTMumbai&p2=26_05_2009_531.pdf > > Accessing the past ePapers in Image Format > > If you would like to browse the past newspapers in image edition, then > simply change the values according to your choice in the below URL and > retrieve it from the server > > The variable format is > > / Page / year / month / date / date_month_year_pageno.jpg > > / Page / year / month / date / date_month_year_pageno_part.jpg > > Hindustan Times – 31st December 2008 – Main Edition (English) – Mumbai > > http://epaper.hindustantimes.com/Web/HTMumbai/Page/2008/12/31/31_12_2008_001.jpg > > HT Cafe (English) – 26th January 2009 – Hindustan Times – Mumbai > > http://epaper.hindustantimes.com/Web/HTMumbai/Page/2009/01/26/26_01_2009_531.jpg > > HT Brunch – Magazine (English) – 31st May 2009 – Hindustan Times – > Mumbai > > http://epaper.hindustantimes.com/Web/HTMumbai/Page/2009/05/31/31_05_2009_321.jpg > > The automated system > > Hackable Magazine Publishing Software > http://lh6.ggpht.com/_gbWPSul_tCM/Sn5W9ujFvkI/AAAAAAAAATE/Xg54_u9W2vQ/s800/pressmart.jpg > > Hindustan Times epaper webportal is powered by Pressmart, which provides > electronic publishing software (& digital publishing solutions) to various > newspaper publishers across the world, if i had more time to work then i > would have surely dug out more bugs / architectural flaws (& > vulnerabilities) within Pressmart softwares but the fact is (i don’t find > them interesting enough) > > Pressmart is a digital publishing service for newspapers, magazines, > journals, catalogs and practically any print publication. We help > publications deliver their print content on the new media – covering the > entire breadth of web, mobile, podcast, RSS, social networking sites and > search engines, with integrated revenue and cost-saving capabilities. > > Beyond delivery, Pressmart help publications monetize their digital > edition through subscriptions and advertisements. Our service platform is > eCommerce and advertising ready to generate revenue streams instantly. It > includes all the components up to the monetization stage after the pre-press > pages are prepared. All the publication has to do is supply their pre-press > pages and Pressmart takes care of the rest. > > Source: Pressmart Official Website - > http://www.pressmart.com/eedition.html > > Internet explorer sucks > > HindustanTimes is coded for Internet Explorer Compatibility which Sucks > http://lh5.ggpht.com/_gbWPSul_tCM/Sn5WJHT68wI/AAAAAAAAASw/pvOSLmr6UeQ/s800/internet_explorer_sucks.jpg > > Hindustan Times website + ePaper portal says > > (Site best viewed in Microsoft Internet Explorer 5.5+ SP1 in 800×600 & > 1024×768 resolution) > Click here to download the latest version of internet explorer > > I would advise Hindustan Times to download / use Firefox and some other open > source tools / codings for their website + ePaper portal instead of stuffing > it with junk / heavy / unwanted codings, try to keep it clean / clear / > simple > > Internet Explorer Sucks > http://lh3.ggpht.com/_gbWPSul_tCM/Sn5dF1sxLtI/AAAAAAAAATs/g93iLoFd-3I/s800/internet_explorer_sucks.jpg > > Dedications > > I would like to dedicate this hack towards Club Calvin @ > http://www.clubcalv.in and all cute kids > > I love you Firefox <3 / thank you (Firefox) for being my companion during my > pen tests……… > > I love Mozilla FireFox > http://lh3.ggpht.com/_gbWPSul_tCM/Sn5X-A8gyWI/AAAAAAAAATQ/5kI9IeHLexA/s800/i_love_mozilla_firefox.jpg > > -- > Sky > http://sky.net.in > http://twitter.com/skycu > ============================= > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
