,
11 tweets,
4 min read
Read on Twitter
This is not a password. It is encryption key. "oldPassword" is a javascript variable whose value comes from user form and is encrypted with a key 123456789.
Effectively you can't do anything by knowing this unless you are superstar hacker with a lot of luck.
Effectively you can't do anything by knowing this unless you are superstar hacker with a lot of luck.
CrptoJs is a JS library which is used to encrypt the data which is just an extra layer of security.
npmjs.com/package/crypto…
npmjs.com/package/crypto…
@Memeghnad and @zoo_bear take a note.
@fs0c131y Now tell us from where you took this screenshot. As per your tweet, this screenshot was taken from home.js (bjp.org/static/js/home…).
But nothing like that is there in the js file.
Did BJP update their website within a day or u faked the screenshot? Hope you will answer
But nothing like that is there in the js file.
Did BJP update their website within a day or u faked the screenshot? Hope you will answer
1/n: Let's analyse the first screenshot. It is the code of change password method which takes the password from the user form, encrypt it and sends it to the server where it is decrypted again. Now let's see what you can do if you have the encryption key.
When a user submits the change password button this encrypted JSON data will be sent to the server. Now someone can intercept that data on its way to the server which can be done by tools like @WiresharkNews. But for that you will have to be on the same network used by the user.
which means you can't do anything with users who are not in your network. Probably if you try this with your colleague working in the same office and connected with the same network or may be in college LAN, etc.
Once you intercepted the data using tools, you can you use the encryption key which is 123456789 to know what password user has set @fs0c131y? The answer is no. Because BJP website is on https and you will have to crack the SSL encryption to get the string
which you will decrypt to get the new password set by the user. Good luck with that @fs0c131y
Now, tell the world what vulnerability it was and how it can be misused by the hacker?
Now, tell the world what vulnerability it was and how it can be misused by the hacker?
Now let's analyse the second screenshot which is the method to resent OTP.
This is a serious error by the developer since it is getting variables from local storage. But again to exploit that you need to either get physical access of the device or remotely hijack the browser.
This is a serious error by the developer since it is getting variables from local storage. But again to exploit that you need to either get physical access of the device or remotely hijack the browser.
Good luck for that but before hijacking the browser remotely you need to find out who all are using BJP's website. Or Maybe try Hijacking the browsers of all the BJP supporters and by chance, you will be able to find out a few passwords.
