Share this page!

Kiran Jonnalagadda Profile picture
Twitter logo
29 Mar, 11 tweets, 4 min read
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners.
Check for yourself here (requires Tor). It's under heavy load and timing out, so you may need to come back later.
Twitter has flagged the .onion URL as malicious, so it can no longer be shared. Boo, Twitter!

How does one determine this data is from Mobikwik? There are three indicators to work with. 👇
1. The join date in the dump matches an email receipt.
2. Dump has my contacts but not my name, matching website records.
The dump has a bcrypt password hash. I have a saved password for the website. However, in this case the hash does NOT match, adding some uncertainty. It is possible they are hashing it differently from what I'm doing in this screenshot. There is no way to reverse the hash.
A password hash match would have made this irrefutable evidence as the password isn't reused. Sans that, at this point the evidence is merely compelling.
If you had the Mobikwik app installed, the dump has a bit more data: a list of all apps on your phone, and your GPS coordinates. This is from a friend's dump, shared with permission (location redacted).
Shameless company, bringing disrepute to the compliance standards they claim to adhere to. Who are you fooling? blog.mobikwik.com/message-from-t…
The claim of a functioning bug bounty program, contrasted with the experience of the researcher who reported this breach.
What is this, MobiKwik? One story to the world, another to your suppliers? techcrunch.com/2021/03/30/mob…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kiran Jonnalagadda

Kiran Jonnalagadda Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jackerhack

Kiran Jonnalagadda Profile picture
12 Mar
Placed a test order on AliExpress to probe the ban. Item has arrived. I'm very pleased with myself. More testing ongoing, should have reliable results in several weeks.
Method 1: ask seller if they can ship to India, even though you've placed an order from a different country. May or may not work.

Method 2: use a package forwarder in a different country. The trick is to find a reliable one. (Tests ongoing.)
If using a package forwarder, it helps to not pay customs duty in the forwarder's country, so it needs to be local. However, AliExpress doesn't accept China as destination country either.

Fortuitously, Hong Kong is an accepted destination and has no customs duty. Yay free trade!
Read 4 tweets
Kiran Jonnalagadda Profile picture
31 May 20
⚠️ Aarogya Setu is not open source. We got a press release and some random code to keep the public distracted. The released code is not for the app that everyone is using. ⚠️
While the released code may indeed be for *some* version of Aarogya Setu:
1. It is not the version you're using. We have no idea what is different.
2. Developers are ignoring reports of serious vulnerabilities.
3. Actual development is elsewhere in a closed source repo.
Where is the actual source code? Notice the URL here.
Read 9 tweets
Kiran Jonnalagadda Profile picture
23 Sep 19
I went to the Bangalore General Post Office today to enquire about a parcel that's been stuck in transit since July. It's somewhere in there. One customs official was valiantly opening everything to determine the tax on all the $1 and $2 trinkets people order from AliExpress.
Each of those bags contains parcels from the landing ports of Kolkata, Chennai and Mumbai. Anything that arrived in the past few weeks hasn't even been recorded as having arrived. They're months behind on the backlog. Here's a sample. Chennai to Bangalore took June to September.
Why is this happening? Back in 2015, a customs official showed me a memo. All personal imports above ₹2000 (i.e., you're not a registered importer) we're to be taxed at a flat rate of 40 something percent. The official explained that this was to encourage #MakeInIndia.
Read 8 tweets
Kiran Jonnalagadda Profile picture
23 Jan 19
Out of an abundance of caution, I have changed my phone number at three banks where I have accounts. This has utterly broken UPI for me. The UPI ecosystem treats phone number as primary identity. A new number means you're a new person. The situation is tragi-comic.
SBI let me change phone number online. It sent OTPs to both old and new numbers, and once I keyed them in, I was done. This is shockingly efficient given what follows.
ICICI required me to enter the new phone number at an ATM. They sent confirmation by SMS to both numbers. However, the update has not actually happened. UPI is still active on the old number after two weeks, despite two attempts to change it.
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @jackerhack has new unrolls!

Check out other threads from @jackerhack!

Read all threads by @jackerhack