Updated: Shaadi.com Security Vulnerability Allowed Access To User Profiles; Now Fixed


Update: Raxit Sheth has updated his blog on how he was able to access the profiles. All he had to do to get access to the shaadi.com member’s profile was to search for “eml-trk site:shaadi.com” without quotes on any search engines. Sheth claims that Anupam Mittal, CEO People Group, acknowledged the bug and mentioned that it was introduced during the last dev cycle. The bug has been fixed.

Jan 22, 2013: Earlier today, Raxit Sheth pointed us towards a URL which allowed the editing of a users profile on matrimonial website Shaadi.com. Sheth said that a critical vulnerability in the website allowed for this, allowing users to gain full access to a member’s profile without entering their account credentials. We tried it, and were able to access profiles (details below)

After we contacted Shaadi.com about this, and the vulnerability was fixed. On attempting to access the profile, we are now redirected to the websites homepage, and asked for login credentials. We’ve contacted Shaadi.com for their statement on the issue, and will update when we hear from them officially (which we are told, we will, by end of day today).

The Vulnerability

The vulnerability was limited to only specific profiles and didn’t allow users to access all member’s profiles. In these profiles, we were able to secure full access to the member’s profile including the ability to change profile details (screenshot below), and apparently chat with other members, send interests, reply to messages, among others.

Here are few of the screenshots of a user’s profile, with details masked in order to protect his/her identity.

 

 

Security is critical for matrimonial portals: someone could have easily accessed profiles and sent inappropriate messages.


  • Anonymous

    Which type of hack it is not explianed ,XSS type is still there in shaadi.com

    • http://www.facebook.com/people/Sheth-Raxit/692059765 Sheth Raxit

      @marathiblog,  check update on this post, on more detail.

  • http://www.facebook.com/people/Sheth-Raxit/692059765 Sheth Raxit

    @marathiblog:disqus  this was no brainer, you just search few words in google/yahoo/bing, click the link and you get full access of profile without id/pwd, no xss, no sql-i. Simple stupid but critical security bug.