A Pakistani hacker using the name Mak Man recently breached the website of the popular Indian streaming music service Gaana, which boasts more than 12.5 registered users. Gaana is a subsidiary of the Indian Internet company Times Internet.
Mak Man posted a Web page that provided visitors with direct access to the information, The Next Web reports — anyone who entered an email address was provided with the matching user’s full name, MD5-hashed password, birthdate, Facebook and Twitter profiles, and more.
All Gaana user passwords were reset in response.
“The vulnerable parameter I was using here, has been patched by the Admin,” Mak Man stated on the database page. “Now the question is, Was this the only vulnerable parameter I had .. ? ;)”
“No financial or sensitive personal data beyond Gaana login credentials were accessed,” Times Internet CEO Satyan Gajwani stated on Twitter. “No third party credentials were accessed either.”
Notably, Gajwani also offered Mak Man a job.
“We’ve asked Makman if he’d be willing to work with us and help us find any other issues as well,” he tweeted.
According to DNA India, Mak Man is Mukarram Khalid of Lahore, Pakistan.
Khalid told DNA that he leveraged a SQL injection vulnerability to gain access to a Gaana user database containing almost 12 million records — but instead of downloading the data, he set up his own website to query the Gaana database directly for a given user’s information.
Khalid only set up the site after Gaana ignored his attempts to notify them of the vulnerability, DNA’s Gwyn D’Mello reports. “Basically, he did this to prove a point,” D’Mello wrote.
“If someone reports a security issue, it must be taken seriously and resolved as soon as possible,” Khalid told D’Mello. “It’ll take some time to rectify the issue but … security is not a one time thing. It has to be maintained.”
Rapid7 global security strategist Trey Ford told eSecurity Planet companies that aren’t accustomed to receiving bug reports from outside the company often respond in ways that frustrate researchers.
“I think the hope for any security researcher is to see a reported vulnerability fixed before something bad happens to the website or users,” Ford said. “In this case, it looks like Gaana.com may have been pressured into acknowledging and acting on this vulnerability.”
“It sounds like Gaana.com is taking the right steps by forcing a password reset for their users, and all the normal guidance applies: if people are using their Gaana.com password anywhere else, they need to go change that password on other sites to something unique before their account is accessed,” Ford added.
