latest articles

Clarification about the hack on Oxigen Wallet

We have a clarification about a post posted some time ago the post was about oxigen website hack.

We want to clarify wallet is safe.
As we are also oxigen wallet user. We have just came to know that it was just an webpage attack and it does not relate with oxigenwallet secured servers. So we would like to update that a  small temporary attack on a website page by attackers does not cause wallet users to suffer any loss or damage and that their money is safe and secured in Oxigen WalletThe internet pages are vulnerable to attacks despite best security measures/standards; responsible online companies do prepare for such intrusion and build security measures not to compromise the data/information/assets of their customer. Oxigen Services (India) Private Limited (“Oxigen”) too has built in such measures. The wallet money does not rest on a website page nor with the company and they are secured by way of cautious deposit with appropriate banks/other modes. Access to mobile wallet is an ultra secured access. Web site page attack does not cause any impact on wallet security.

" A small temporary attack on website page by attackers doesn't cause wallet users to suffer any loss or damage and that there money is safe and Secured in Oxigen wallet "

We want to apologies for that 

Thank you 
Team CK

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Scapy: Art of Crafting and Manipulating Data Packets

Hi there

After my post on Securing WordPress I am here again with a new topic called crafting and Manipulating data packets with Scapy.

What is Scapy and why it is used ?

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).

It comes pre-installed in most linux distributions but you can also install it manually if it is not pre- installed.
1. Install python the version of python should be higher then 2.5.
2. Download and install Scapy
3.You have to run it with root privileges because some command may not work with simple privileges.

First Look that if python is installed or not use this command I am using Backbox OS here
backbox@backbox:~$ Python -V
Python 2.7.3

if it is not installed use this to install it
backbox@backbox:~$ sudo apt-get install python

Now after installing python you can run Scapy easily. So lets start packet crafting.

1. Run scapy with root privileges
backbox@backbox:~$ sudo scapy

It will show you response like in the image

2. For available Protocol support you can type command  ls() and press enter it will show you all available protocols

3. To know more about a specific protocol just type ls(protocol) lets take example of ARP protocol shown in the image type ls(ARP) press enter it will show you the available commands of that protocol.

So after these lets start Crafting data packets. Now type this command to craft your first packet

>>> packet=IP(dst="xx.xx.xx.xx")/TCP(dport=80)/"Hello world"

and press enter it will . What does several components of this command means

IP=The type of packet you want to create I am creating and IP packet here.
dst=  It contains IP address of destination where you want to send the packet.
/TCP= You are creating a TCP packet with default values of scapy
dport= Destination port 
/"hello world": The payload of packet.

So after crafting the packet if you want to know the details of packet simply type ls(packet)
it will show you a response like this
 here src= source IP 
dst= destination IP

Now there are two more option for packet details 
Just type packet  OR type packet.summary 
It will produce a result like this

So congratulation you successfully crafted a packet

Stay tuned for more

Thanks You
Jitendra K Singh

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Oxigen Wallet Website Has Been Hacked

Hi there

This is a recent news coming that Oxigen wallet  website has been hacked.

Hacker hacking with alias Gobesi TN from Tunisian Fallaga team hacked the site and posted a message about terrorism against muslims in Burma.

They also binded a Win32/RamnitA malware on that page so users who are visiting that page will be got infected by that malware.

This was a temporary hack and not user data is compromised in this hack and no user data is compromised in this hack  

Your money in the wallet is safe and you can use it as you are using it before.

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Zopim API Bug Agents can able to fetch other agents details

Hi ,
So this post is about a Proof of Concept of a report submitted to Zopim via HackerOne.

This bug exists on the API of Zopim according to Zopim documentation mentioned here

Agents details can only be fetched by an Owner or Admin account but I can fetch these details with a simple agent account.

There are more things we can do this with command like there are many restriction for agents an agent can't fetch other Agents id , Department id ,Last Login , How many time users have done login.

These information can't be access from Dashboard.

There are more things I can do by this command.
According to there documentation mentioned here agents can fetch all departments, But if i fetch all agents detail then and if any agents is added to a department the department details come along with agent details.

I reported to Zopim but they said that there is not security risk here.
But according to there documentation i can say that there is a permission check missing on that API endpoints.

Zopim declined my bug.

Thanks for reading

Jitendra Singh

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Securing WordPress: Taking Backup of Your WordPress site

Hello to all followers out there 

I am here with a new post on securing WordPress. Today's topic is how you can backup your site and  can save that backup to any cloud service like Amazon S3 bucket or Dropbox and other cloud services so lets start.........

Why Backup is necessary , Backup is necessary because if your website got hacked by malicious hackers and they have deleted all the things from your website from Backup you can restore all your data and you don't have to suffer for loss of data of your important things.

Because your site may contain data which is very important to you to today I will show you how can you take backup of your site and can make it scheduled so it can automatically do backup on scheduled time and then save the same to your desired cloud service.

For cloud service: Dropbox is easy to use and it is cheap also you also get 5GB free space for free. So in this tutorial i will use Dropbox to save my backup.

1.There is a plugin name UpdraftPlus Backup.

2. Download this plugin and activate it now go to setting UpdraftPlus Backup. This looks like this 

3.  Now click on setting and scroll down and click on Copying your Backup to remote storage

4. Choose your desired service and authenticate there in my case i chooses Dropbox.

 5. Click on the link and authenticate to Dropbox after authenticating click on save changes.

6. Now go to Current status and click on Backup now and choose what you want to exclude from backup. and click backup now Your backup will be saved to your chosen storage. 

You can also schedule backup just go to setting of this plugin and click on File backup intervals under Configure Backup Contents And Schedule tab and choose when you want to schedule the backup. and it will save the backup automatically to your chosen storage.

Thats all for now 

Jitendra Singh with whole Computer Korner and I-HOS team 

Thanks to Gurpreet Singh 

Want help feel free to comment

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

How I made $500 from Shopify Story of a privilege escalation Bug

Hi dear Followers

Shopify launched their bug bounty program HackerOne 

This Post is about the bug on Shopify. This is a bug about privilege escalation of invited users any users who have full access to shop can also claim the accounts of invited users and can use it for spoofing against shop owner and the users who is invited there.
There are two options to invite a users 
1. First shop owner can invite them and the invited users will receive a link on their email address after clicking on the link users can create their account 
2. Shop owner can create the account on their behalf then provide them the email and password.
and one more thing only shop owner can invite users 

Now the second option can only be done by that person who is the shop owner.

Suppose there are three users A,B,C A is shop owner and B is a user that have the full access to the shop C is a user that is invited by A now B logs into his account navigate to Setting>general and invited users link the invited users C links looks like this

C- Invited

 Now click on invited and B can create account on the behalf of user C. After creating an account on behalf of C shop owner A setting will show him that the account has been claimed by users he invited which is C.
Now B can use C account for doing malicious things to shop and shop admin will think that this has been done by C. 
And this is privilege escalation for C and also for the shop owner because as I described before only shop owner can invite and create account on the behalf of invited users.

Now they fixed the bug that only Shop owner can access the user invited and joined tab on their shopify account

Shopify awarded me a bounty of $500 for reporting this bug.

Hope you enjoyed this post 

Feel free to comment and question are welcome

Jitendra K Singh and Whole Computer Korner and I-HOS team.

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Securing WordPress: Adding more Security on Login

Hi Fellas 
So in our new series of securing WordPress I am now sharing how to Add more security during login.

Many people who use WordPress for there website or blog doesn't use much security on their login panel like rate limiting attempts of login So today I am sharing how to make your Login more secure.

How to make login more secure:-

There is a WordPress plugin known as Graphic Password by site guarding which will show an image during login and after clicking on right places on images Login will be done so it will make login more secure so lets see how we can use this

1, Login to your WordPress site and go to add new plugin and search for Graphic Password.

2. Install it and activate the same.
3. Now go to setting > Graphic Password 
There is two version of this plugin one is pro(paid) other is free one you can use free one for this no need to install a paid one.
4. Now there is two options one you can choose from existing image and other is you can upload your custom image(paid version). Since I am using a free one choose any of existing image.

5. Now click on the image on any two desired portions it will automatically draw a line between these portions.
You can also click on as many portions you want to make a pattern which is not easily guessable 
6. Now click on save changes and do logout for testing if it is working.
When you go on login panel of your site it there is a lock sign will appear on right top corner click on this it will show the image. Some Malicious users may think that this is a lock sign and they will ignore it but it is mandatory for login without this you may not able to do login.
So this plugin can work as two factor authentication for your site.

7. Click on lock sign it will show the image click on the two portions like you done During activating it enter your login username and password and you can login 

More posts for securing WordPress is coming soon stay tuned.

Jitendra K Singh

Special Thanks to Souvik and Gurpreet Who are there every time I need them 
Thanks to Subir bhai  I am living your dream 

Suggestion and Questions are welcome

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Securing WordPress:Changing Wordpress Database Prefix

Hi fellas,

Today I will discuss about a really small mistake which many website admins does who has a website based on WordPress.
The mistake is when they start installing WordPress. The WordPress makes a database with a wp_ prefix website admins doesn't change that prefix.
If any SQLi vulnerability is found out any attacker can easily know which database belongs to WordPress and they can steal the credentials of their WordPress account.
Many people develops their website with their own code but they uses WordPress to host their blogs etc so if a SQLi vulnerability exists on their main site attacker can also steal their WordPress credentials so it is advised to Change the prefix of WordPress database

How to Change WordPress Database Prefix

1. In order to change the wordpress database prefix you have to install a wordpress plugin name CHANGE DB PREFIX.

2.After Installing go to setting > Change DB prefix

3.  And Change the database prefix to your desired one.

After completing your changes remove that plugin because we doesn't need this anymore

However this a small issue but this can be a best practice to change the database prefix.

Suggestions are welcome


Special thanks to Gray Code Gurpreet Singh & Moni HBH who Helped me on every Spot

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more