Indiatimes.com Shopping remains Vulnerable!!

Leave a Reply

Comment as a guest.

  1. Thanks for linking me πŸ˜‰

    There is one major bug in one goverment site also but they too never cared to patch it…

    it allows you to read boot.ini and other various system files..

    Deep

  2. There is one major bug in one goverment site also but they too never cared to patch itÒ€¦

    it allows you to read boot.ini and other various system files..

    Uhh, lets keep it under-wraps then, we don’t want the law on us, eh!! πŸ˜‰

  3. Did you try reporting them?
    Indiatimes mail was vulnerable to SQL injection a year ago. I worked with them and they fixed it although they didnt give any credits to me. And they were quite naive in handling security related issues. I had a bad time arguing and convincing them I am not culprit.
    There was a XSS bug in indiatimes email system that was quite fatal.. See http://www.google.com/search?hl=en&q=sandeep+giri+indiatimes&btnG=Google+Search
    I reported it to them but they didnt pay heed to it. Then I was forced to post on securityfocus.
    So, instead of posting on your blog, you ought to post on securityfocus or any other popular bugtraqs first. If these bugtraqs dont accept the post ( Nowadays they dont publish the bugs in a website.) then you can publish it anywhere.

    Anyway, thanks Amit for the post.

    -A0

  4. Alpha0, I didn’t report it to Indiatimes, don’t have time to waste with them, but Deep who discovered it, reported it & they didn’t pay any attention to it. So I just posted it here & if you should know, this blog is a bit popular & has a bit decent search rankings & this post comes up at #3 in Google if you search for Indiatimes Shopping. That’s the reason they got in touch with me!! I explained the bug & how it can be exploited to them. Their guy said that its not their fault as this shopping portal is done by a 3rd party!! πŸ˜‰ And even after I explained a lot about the bug to him, he said to complile all details & then mail him. I said to hell with it, its not my problem & I don’t have time to give out free consultancy services!! Let the people discover the problem & then they’ll shun away from Indiatimes shopping.

    I worked with them and they fixed it although they didnt give any credits to me.

    what were they supposed to do? Put a link to you at the bottom of the Indiatimes Email pages stating that you’ve helped them iron out a bug? πŸ˜‰ Well, frankly, I’m not surprised, companies like these, first they are morons & then they can’t afford to say to people that their applications had security bugs which were discovered by other people & not their testers!! What amazes me is that how so moronic people find job at Indiatimes or get a contract(if the applications of Indiatimes are done by 3rd parties). I guess you get what you pay for, so the cheapstakes like Indiatimes pay a lot less & thus they suck!!!!

  5. Man,
    These guys are jerks and claim to be certified by some APIC
    They seriously deserve one tight slap..

  6. while ordering at indiatimes shopping..on last and final page when i clicked Submit..it just returned me an error..and to top it my credit card was charged..

    don’t they have transaction setup that if order no. is not generated credit card transaction should roll back !!

    well anyway..foolishly enought i tried 4 times..and indiatimes now owes me Rs. 714 x 4 = 2856..tried contacting their custiomer service by link on their homepage which sends out an email…never got a response..

    does anybody have their phone nos..so i can blast these unprofessional..dumb..idiot..morons

  7. I don’t know why are you fussing about the charge!! If you paid by Credit Card, then simply go to your bank & do a chargeback on them which will return your money back to you. As simple as that!!

  8. Anyway, I dont really trust these indiatimes like sites.
    A few days back the prasadz.com was vulnerable and I reported them and they didnt respond.
    A few after I demoed it in a public workshop, the prasadz.com down for a few hours (or a day) with a message “site has been hacked.”.
    So, before doing any e-transaction I make sure the website is worth it.

    “Fighting tells you how genuine a person is.” –Alpha0

    Anyways, I love reading your blog.

    <– Author Snip: No link promotion allowed –>

Sliding Sidebar