StaySafe COVID19 Tracker hacked, Admin access obtained with all user data

[Kolama]

Don't post things here that can compromise national security
Don't be a d*CK and play games with your country
Let me report these users to Cops
Enjoy!!!!

 

[asiridol]

True.

Some of provisions includes in GPDR

This applies to any company or institute whether its government or private who collects/use/share your personnel data.


1. Data Breach Notification - any organization if a data breach occurred should be notify authorities within 72 hours.

In simple term Data breach is unauthorized access to your sensitive data (credit card numbers, mobile numbers, locations) by penetrating organization security controls.

2. Create centralize data protection authority (in Sri lanka we don't have such a thing)

3. Individuals can access their own data

4. Individuals have ability to transfer their personnel information between service providers

5. rights to be forgotten - people can delete their own data if its no longer needed.

Simply put security of users data is not a nice to have feature. If you don't prioritise security you'll have pay for it soon or later simple as that. And for the cry baby, remember even you found about this because of this thread. If no one talked about this and the data was ended up in wrong hands then who's at fault? Say you notified the relevant authorities still there's a big chance for no one would to act on it. Publicly ashaming and raising user awareness is more worth it.

 

[Anonymous_Abstract]

customer thama ban. meka tikak loku scene ekak.

1. Customer paid subscription ekakin reg wenawa.
2. Porata mobile app ekak hambenawa.
3. Pora app eka use karala product items add karanawa (barcode scan wage methods).
4. Ita passe ewa porage inventory ekata yanawa
5. Same item details 5 denek dala nam auto approve wenawa product eka product database ekata yanawa ohoma ohoma thama db eka grow wenne.

6. Admin login eka normal login ekak. user login eka OAuth

admin case app case okkoma iwarai. den user ta web eken inventory eka manage karanna tiyena part eka tiyenne.

Awla tiyenne me product wala data API eken ganna eka. Mekata caching system ekak dannath ba realtime data one nisa. Moka karannath ban API eken data ganna ma epaye ban list eke pennanna.

Megabyte ganan data yanne product images load wena nisa 3rd party site eken (API owner) eka awlak na meka EUROPE unta data size eka awlak na.

mata one me API hutapateta meeta wada hoda method ekak.

hitapan list ekaka 100 products tiyenawa kiyala. oya 100 ma denata tiyena bid ekak live ganna api call karanne kohomada onna okai prashne

Cache ekata key expiration ekak set karama moko refresh venna. btw use karapu OAuth flow eka mokakda

neththan bulk api ekak call karala cache eka store karala ethanin mulin check karaganna puluwan vidiyata hadagaththoth moko

 

[හෙළයෙක්]

poddak explain karapan ko ban

උබට තියෙන්න රික්වයමන්ට් එක විදියට මට තේරුනේ 3rd පාර්ටි api කෝල් වලින් උබේ ක්ලයන්ට ඩේට දෙන්න ඕනි කියන එක.

එතකොට ඔයා websoket එකකින් සෙන්ඩ් කරන්න ඕනි ඔයාගෙ ක්ලය්න්ට්ලට ඒ ඩීටේල්ස් ටික. ලේසියෙන්ම https://socket.io/ යූස් කරල කරන්න පුළුවන් ඔය වැඩේ. එක ක්ලයන්ට් කෙනෙක් විතරයි එතකොට 3rd පාර්ටි api කෝල් වලට ඉන්නෙ. එයා හරහා තමා ඔය අනික් ඩේට ටික එමිට් වෙන්නෙ.

 

[asiridol]

math ahuwa scene eka. muta deal karanna wela thiyenne clientge existing API ekak ekka. Limited karanna puluwan dewal.

 

[Mr.Thor]

customer thama ban. meka tikak loku scene ekak.

1. Customer paid subscription ekakin reg wenawa.
2. Porata mobile app ekak hambenawa.
3. Pora app eka use karala product items add karanawa (barcode scan wage methods).
4. Ita passe ewa porage inventory ekata yanawa
5. Same item details 5 denek dala nam auto approve wenawa product eka product database ekata yanawa ohoma ohoma thama db eka grow wenne.

6. Admin login eka normal login ekak. user login eka OAuth

admin case app case okkoma iwarai. den user ta web eken inventory eka manage karanna tiyena part eka tiyenne.

Awla tiyenne me product wala data API eken ganna eka. Mekata caching system ekak dannath ba realtime data one nisa. Moka karannath ban API eken data ganna ma epaye ban list eke pennanna.

Megabyte ganan data yanne product images load wena nisa 3rd party site eken (API owner) eka awlak na meka EUROPE unta data size eka awlak na.

mata one me API hutapateta meeta wada hoda method ekak.

hitapan list ekaka 100 products tiyenawa kiyala. oya 100 ma denata tiyena bid ekak live ganna api call karanne kohomada onna okai prashne

koheda host krla tyne AWS? caching set krna pulwan, with subpub messaging to expire. kalin kiwe ekai whole deployment architecture eka blne nathuwa solutions denna ba

normal SLA's
API 300ms
web page 3 seconds.

kohomada TPS eka?

 

[Pinkbc]

Simply put security of users data is not a nice to have feature. If you don't prioritise security you'll have pay for it soon or later simple as that. And for the cry baby, remember even you found about this because of this thread. If no one talked about this and the data was ended up in wrong hands then who's at fault? Say you notified the relevant authorities still there's a big chance for no one would to act on it. Publicly ashaming and raising user awareness is more worth it.

user awareness is a just one part of any security governess process.


Publicly ashaming (reporting incidents to public) is also a just one of step in Incident Management process (another security process).


but still it is imperative to notify data breaches to relevant authorities because these agencies may be able to assist in investigation(find root cause) and lessons learnt from the incident may help them to prevent future attacks against other organization.

in USA FBI will assist you.

most of developed countries such as in USA, organization have legal requirement to report data breach incident.

 

[EON]

Well said munta mona GDPR Ammo pahugiya tike Europe customer base inna company wala ewun dannawa gdpr goda danna kochchara kattak kanna unada kiyala Mama nam kiyanne meka loku failure ekak implrement karapu ewunge aniwa mun mekata statement ekak denna oni. Salli dila security scan karanna bari nam adugane OWASP ZAP wath duwanna, aduma gane report eke ena nam tikawath search karala deyak igenaganna puluwan

aparade ape wachana ban. godak un hithan inne data leak unoth witharai security gana katha karanna ona, katawath meter nathnam eka patta safe kiyala.. rataka president ge site eka hack karanawa nam, rataka me wage user info thiyana database ekak ochchara saralawa hack wenawa nam, ISP la ape details third parties walata sell karana eka elipita sidda wenawa nam, mehe law eken nathi nisa data security echchara awulak na kiyala hithana dial innawa nam, sirawatama mewa katha karala therumak na. apartade mahansiya

anika mehema incident ekak unama public announcement ekak karala minissuta inform karanna ona kiyana responsibility eka danne nathi unda ban lankawe IT lead karanna yanne ? me welawe mata mathak wenne SLT kelawagaththa widiya. contain kara kiya kiya pampori gahuwata badu banis wenna ransom eka wadila hitiye. false information eliyata dena ekama waradak. attack ekak una nam aththa kiyanna ona.

mamathvote kare Gota ta thamai. habai ehemai kiyala uge puka nam lewakanna pissu na. mokata minihath maha lokuwata kiwwe IT dannawa kiyalane. anika buwa USA walath ehema jobakda kohedane kara kiwwe. ochchara labbak dannawa nam minihada konda pana thiyenna epai ohoma kela unama arunta warn karanna. redda asse gahagena inna eka nemei karanna thiyanne.

katha karala wadak na ban.eka athakata hoda welawata mehe GDPR wage dewal naththe. thibba nam ehema law suit walata gihillama thyiana company walin bahayak wahila

 

[nkt]

aparade ape wachana ban. godak un hithan inne data leak unoth witharai security gana katha karanna ona, katawath meter nathnam eka patta safe kiyala.. rataka president ge site eka hack karanawa nam, rataka me wage user info thiyana database ekak ochchara saralawa hack wenawa nam, ISP la ape details third parties walata sell karana eka elipita sidda wenawa nam, mehe law eken nathi nisa data security echchara awulak na kiyala hithana dial innawa nam, sirawatama mewa katha karala therumak na. apartade mahansiya

anika mehema incident ekak unama public announcement ekak karala minissuta inform karanna ona kiyana responsibility eka danne nathi unda ban lankawe IT lead karanna yanne ? me welawe mata mathak wenne SLT kelawagaththa widiya. contain kara kiya kiya pampori gahuwata badu banis wenna ransom eka wadila hitiye. false information eliyata dena ekama waradak. attack ekak una nam aththa kiyanna ona.

mamathvote kare Gota ta thamai. habai ehemai kiyala uge puka nam lewakanna pissu na. mokata minihath maha lokuwata kiwwe IT dannawa kiyalane. anika buwa USA walath ehema jobakda kohedane kara kiwwe. ochchara labbak dannawa nam minihada konda pana thiyenna epai ohoma kela unama arunta warn karanna. redda asse gahagena inna eka nemei karanna thiyanne.

katha karala wadak na ban.eka athakata hoda welawata mehe GDPR wage dewal naththe. thibba nam ehema law suit walata gihillama thyiana company walin bahayak wahila

sira bn, owa kiyanna giyam anthimat api waradikarayo vela toyyo kiyala lableuth gahanaw bn apit

 

[හෙනයා]

​

 

[Metal boy]

පොඩි එකෙක් හදලා තියෙන්නේ..

https://staysafe.gov.lk/admin

කියලා ගැහුවම ඇඩ්මින් url එකට යනවා...එකේ තියෙන්නේ password key based form එකක්..secure login එකක් නැහැ..view source ගියාම පේනවා javascript code එක ඇඩ්මින් කෙනෙක් හදන..එකෙන් ඇඩ්මින් කෙනෙක් හදලා storage set කරාම browser එකේ admin එකට යන්න පුළුවන්..

දැන් උන් කරලා තියෙන්නේ https://staysafe.gov.lk/admin එකේ admin කියන folder name එක වෙනස් කරපු එක..අලුත් folder name එක හොයා ගත්තම ආයිමත්

අලුත් trend එකනේ javascript වලින් සේරම කරන එක..පව් උන්....ඕක php වගේ එකකින් කළා නම් මලාට ලොග් වෙන්න බැහැ ඇඩ්මින් එකට..

Thank you for the explanation

 

[හෙළයෙක්]

පාර්ලිමේන්තුවට ගියා එහෙනන් ප්‍රොබ්ලම් එක.




404 තියෙන ආර්ටිකල් එක තියෙඅන්ව wayback එකේ

 

[rclakmal]

Good and timely speech. Yet, they failed to deliver anything during their regime.

 

[හෙළයෙක්]

Good and timely speech. Yet, they failed to deliver anything during their regime.

හ්ම් ඒත් ඌ හොද රිවිව් එකක් කරනව උන්ගෙ ගොන්කම් ගැන.

 

[Mal Baba]

පොඩි එකෙක් හදලා තියෙන්නේ..

https://staysafe.gov.lk/admin

කියලා ගැහුවම ඇඩ්මින් url එකට යනවා...එකේ තියෙන්නේ password key based form එකක්..secure login එකක් නැහැ..view source ගියාම පේනවා javascript code එක ඇඩ්මින් කෙනෙක් හදන..එකෙන් ඇඩ්මින් කෙනෙක් හදලා storage set කරාම browser එකේ admin එකට යන්න පුළුවන්..

දැන් උන් කරලා තියෙන්නේ https://staysafe.gov.lk/admin එකේ admin කියන folder name එක වෙනස් කරපු එක..අලුත් folder name එක හොයා ගත්තම ආයිමත්

අලුත් trend එකනේ javascript වලින් සේරම කරන එක..පව් උන්....ඕක php වගේ එකකින් කළා නම් මලාට ලොග් වෙන්න බැහැ ඇඩ්මින් එකට..

apoi

 

[Mal Baba]

http://webcache.googleusercontent.com/search?q=cache:rxi10YiLoVQJ:https://medium.com/@rukshan/how-i-hacked-the-staysafe-program-the-government-covid-19-tracker-of-sri-lanka-931f6f219d79?source%3Drss------hacking-5&hl=en&gl=au&strip=1&vwsrc=0

https://www.staysafe.ph/