1/ Go through this tweets thread👇(especially don’t miss 11/ in this thread) to understand how persons like @fs0c131y are running #propaganda against our govt apps.
It will explain how for famous govt apps claims of #hacking or security issues are made while hiding the #reality
It will explain how for famous govt apps claims of #hacking or security issues are made while hiding the #reality
2/ First thing is you have to look like a pro hacker like those you see in movies or web series
—> yes you thought it right! You can even use name of a famous fictional character from web series or movies say #ElliotAlderson in #MrRobot web series. How cool that is! Isn’t it?🤔
—> yes you thought it right! You can even use name of a famous fictional character from web series or movies say #ElliotAlderson in #MrRobot web series. How cool that is! Isn’t it?🤔
3/ To look more cool 😎 hacker
—> You need some fancy terminal and fancy font. Powerline font and Oh-my-zsh with the Agnoster theme would be cool.
—> use curl for making requests to app server (you can even avoid posting the response in case you did not get desired response 😂)
—> You need some fancy terminal and fancy font. Powerline font and Oh-my-zsh with the Agnoster theme would be cool.
—> use curl for making requests to app server (you can even avoid posting the response in case you did not get desired response 😂)
4/ Now let’s misguide the non-tech persons.
—> intercept the traffic of the application and point to anything that public will misinterpret. Say if you find some client side encryption (though that should be visible to the client) still point it (but don’t explain it to readers)
—> intercept the traffic of the application and point to anything that public will misinterpret. Say if you find some client side encryption (though that should be visible to the client) still point it (but don’t explain it to readers)
5/ —> don’t forget to block anyone pointing it out that the said encryption was client sided. That will ruin the hype.
—> if you fetch the local JWT tokens of the LOGGED IN user (or other local data of app) post that with claims of critical security breach (don’t tell its LOCAL)
—> if you fetch the local JWT tokens of the LOGGED IN user (or other local data of app) post that with claims of critical security breach (don’t tell its LOCAL)
6/ —> if you are bypassing some client-end validation by using some external tool or say by connecting the app to a medium or setup specially created for exploitation don’t tell readers that this bypass needs UNRESTRICTED access to the device of user and is limited to this user.
7/ —> don’t let the readers realise that in real world if some hacker gets unrestricted access to your device (where your are logged in the app) he can install spywares, keyloggers etc, can do things that are far more critical (but won’t go for such things with so less impact).
8/ —> if you find file access enabled in webview just don’t tell to the readers that the capabilities of the app (with no permissions to access external storage files) to access files is limited to it’s own private directory (and the same applies to webview here). #AarogyaSetu
9/ —> if you find there is no SSL say even in the FAQ page of the app point it out in hype of MITM attacks and privacy breach (don’t tell the readers that the Q&A on that page are all public for everyone and they don’t have any sensitive information there that one should bother).
10/ —> you can also manipulate some of the claims. Say you can call a data you fetched for 5km as a data fetched for 100km. Most people won’t bother to read the request and response you posted as most don’t bother to understand the code part. They will just accept what you wrote.
11/ —> now as none of the claims you made involves some data breach of users of app you can now move to third party websites or in the public domain which has data related to or of the app you made your claims against. Now many will think this got leaked via those claimed hacks.
12/ —> The mainstream media, the haters of govt, the IT cells of opposition all will work now and a panic will be created. After blocking all those who tried to expose your claims or raised technical queries you are left with govt haters or those who are non-technical persons.
13/ If someone wants to go in technical details of all that is said above and especially wants to understand how lame his claims were against #AarogyaSetuApp and #maadhaar must through this (it exposes every claim he made): #propagandist #ElliotAlderson
