Wednesday, 29 June 2016

Major Bug in Ola App can Make you Either Rich or Poor!


Despite the hiccup caused by the recent ban on cab aggregators, India’s cab-hiring app market continues to grow at breakneck speed. Ola Cabs is currently offering 60,000 cabs in 52 Indian cities and plans to touch 200 cities by end-2015.

Companies like Ola Cabs, Uber and TaxiForSure are growing at a breathtaking speed. But that’s not what we are talking about today. What is more important to us is how secure these applications should be so that people don’t misuse it.

At Appknox, we’ve built a cloud-based scanner that helps mobile app developers and businesses make their mobile applications more secure. We help detect security vulnerabilities in mobiles apps and also suggest ways in which developers can fix these issues.

Looking at the recent news of Ola we decided to put the Ola app ,available on the Google Play store, through our system to find out how secure it is.

Our engine reports that Ola Cabs app, which is available to download for consumers, is 42.86% unsecured. We decided to do some more in-depth analysis about the bugs which were reported. More than 80% of the apps in the Top 100 grossing applications in Google Android app store have problems with incorrect SSL Configuration which we have spoken about extensively.



As we scanned the Ola app, we found issues related to Cryptographic Keys, Insufficient Transport Layer Protection and issues in SSL Certificate verifier.

Cryptographic Keys



The very first problem we saw in the Ola app was in the Cryptographic Keys they were using. According to our scan, we found that the App is using AES/ECB/PKCS5Padding encryption which is not very strong. Appknox engine also predicted exactly in which method the AES Encryption was written. We can also find the AES Key which is:
80, 82, 79, 68, 75, 69, 89, 80, 82, 79, 68, 75, 69, 89, 49, 50
The above key is shown in decimal, and if we convert this into ASCII we get the AES key as: PRODKEYPRODKEY12

A little search in the OLA App code we find that with the same key, the user password is encrypted with AES and then encoded into base64.





Since we know the AES key, we can now decrypt password of anyone who holds an account in Ola. This is very dangerous since passwords should be encrypted with a one way hash, so that even if someone gets your password hash, one cannot decrypt it back to get the password.


Summary: In simple words, we found a way in which we can recover passwords for any Ola user account. This means, one can use your Ola account and your Ola credits to book cabs as well. Clearly, no one would want that right? The bigger concern is that all the user account passwords are stored using the same encrypted key PRODKEYPRODKEY12. This issue still exists and they’re going to have a tough time fixing this one!

Insufficient Transport Layer Protection

The next problem Appknox engine found is known as “Insufficient Transport Layer Protection”. When the data is sent from the mobile app to the server over insecure channels, whether the data is transmitted through the carrier network or through WiFi, it will end up through the Internet either way before it could reach the remote server. There are several ways where unprotected data transmitted over the network could be sniffed; things like routers, proxies, cell towers, are some of the few ways data could be sniffed while in transit.

How safe is your Transport Layer?


We found that Ola was not using SSL endpoints for it’s API, which makes it easier for us to intercept the request response of the API. For this to work, we made a proxy setup through which the network connection will route, which inturn will show the different requests being made to the server side of Ola.

For this purpose, we used Burp Proxy, which can intercept the request made by the OLA App installed in the phone. After configuring Burp proxy server, the traffic was routed via that proxy server so that each request were tracked on the terminal.



The communication between the OLA Cabs App goes like this:
The client makes a connection to the server.
The router redirects the connection to Burp Proxy, which is typically listening on a local port of the same host. Burp Proxy then consults the routing mechanism to establish what the original destination was.
The client believes it’s talking to the remote server, and initiates the SSL connection. It uses SNI to indicate the hostname it is connecting to.
Burp Proxy connects to the server, and establishes an SSL connection using the SNI hostname indicated by the client.
The server responds with the matching SSL certificate, which contains the CN and SAN values needed to generate the interception certificate.
Burp Proxy generates the interception cert, and continues the client SSL handshake paused in step 3.
The client sends the request over the established SSL connection.
Burp Proxy passes the request on to the server over the SSL connection initiated in step 4.

When transaction was finished, a call was being made from app to Ola servers to tell that transaction was successful, which is the call responsible for recharging the wallet.



Running the same request again resulted in a successful transaction which implies there was no validation against the recharge order. Hence we get to recharge our Ola Wallet without even going through the Payment Gateway.




Summary: What this means is that, using the same recharge reference code, we were able to recharge our Ola wallets multiple times. In short, you recharge just one, for any amount, and then you can use the same reference code to recharge over and over again. Time to get rich, eh?

We found these issues way back in early February. While we are a security company, we hack only to help our customers and not to take benefit or misuse their weaknesses. We tried to reach out to the OLA Security Team multiple times, and it seems they don’t think it is highly important. We also reached out to Bhavish Aggarwal, CEO of Ola Cabs reporting the same to him. Finally, after around 2 months the issue seems to be fixed.




The alerting mechanism that they speak of here is not true because they could get to know about it only once we contacted them. In fact, we’ve tried and tested this on other accounts as well but they couldn’t track it obviously because they blocked the user with the appknox.com email ID! Clearly, there is no automated tracking mechanism in place.

The same has been reported by Shubham Paramhans (one of the developers atKuliza) as well and even he got the same kind of response from the Ola team. We know that nobody is perfect, but companies can be more proactive towards such issues and should respond better.

We hope all companies take attention to this. We’ve been big fans of Ola and Uber and we often use their services to commute from home to work to meetings and more. Since we are consumers as well, we’d love to help the company and other businesses avoid such mishaps.

At Appknox, we encourage businesses to be proactive towards security and help them secure their mobile apps. We offer an extensive security scan of mobile apps by detecting security loopholes with suggestions to fix them. If yours is an app that involves making online payments or collecting user data, you can talk to our in-house security experts to discover ways to protect your app from cyber crimes. Just click on the link below.

Thursday, 23 June 2016

Google Drive – “There is a problem with this website’s security certificate.”

After Google Drive installation when you try to Sign in to Google Drive the popup shows the following error message:

Sign in to Google DriveThere is a problem with this website’s security certificate.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to server.

We recommend that you close this webpage and do not continue to this website.

• Click here to close this webpage.
• Contiue to this website (not recommended).

• More information





Solution 1:
Open Windows Internet Explorer, go to Tools (Alt+X) -> Internet options


click the Advanced tab, in the Security section, uncheck or clear the box for the following three options:

Check for publisher’s certificate revocation
Check for server certificate revocation*
Check for signatures on downloaded programs


as shown in the screenshot:



then Apply and Close Internet Explorer (all IE windows opened).

Note: (Optional) After first Sign in to Google Drive if you want you can follow the above steps to check again the three options.

Solution 2 (UNDER THE HOOD):

Right-click inside the popup, Properties, from Address (URL) line select the link until the end starting from
https://accounts.google.com/ServiceLoginAuth…
copy, open an IE window and paste the address.
If the page doesn’t open then add the website in the Trusted Sites Zone:
Open Windows Internet Explorer, go to
Tools (Alt+X) -> Internet Options -> Security -> Trusted sites -> Sites
write https://accounts.google.com/

in Add this website to the zone, Add, check Require server verification (https:) for all sites in this zone then Close.

Did my solution solve your problem? Leave a reply.

Wednesday, 22 June 2016

Half Girlfriend (English)

 List Price: Rs. 176
Rs. 127 27% OFF
Selling Price
+ Rs 40 Delivery ?

Half Girlfriend (English) (Paperback) Price: Rs. 127

Half Girlfriend is the much-awaited novel by the famous Indian novelist, Chetan Bhagat. It delves into new and different dimensions that relationships have in today’s world.
Summary of the Book
Madhav is a Bihari boy with big dreams who falls in love with the beautiful Riya, a rich lass from Delhi. There are some fundamental differences between the two. Madhav’s English isn’t all that great, but Riya speaks the best English. Madhav wants Riya to be his girlfriend but Riya disagrees. She wants them to be just friends but he definitely wants more. Riya finally comes up with a suggestion, a compromise – she agrees to become his half-girlfriend! Chetan Bhagat presents a simple and beautiful love story that will move you with all the nuances of a modern-day relationship. It also inspires you to realize your individual dreams.
About Chetan Bhagat
Chetan Bhagat is a famous contemporary Indian writer, speaker, columnist and novelist. He was born in New Delhi in 1974. Considered one of India's most popular writers of fiction, Chetan Bhagat is an alumnus of the Indian Institute of Technology, Delhi and the Indian Institute of Management, Ahmedabad. Before becoming a fulltime writer, Chetan worked as an investment banker for a few years. The New York Times called him ‘the biggest selling English language novelist in India’s history’. Some of Chetan's other notable works are Five Point Someone, One Night at the Call Centre, 2 States, The 3 Mistakes of My Life, and Revolution 2020. Three of his books have been adapted into Bollywood movies, two of which went on to become massive hit movies: 3 Idiots and Kai Po Che!

 Download Pdf

Limited Period Offer Free Download 

Saturday, 18 June 2016

Father's Day**Tribute to all Father Across the Globe

Father’s Day is celebrated worldwide to recognize the contribution that fathers and father figures make to the lives of their children. This day celebrates fatherhood and male parenting. Although it is celebrated on a variety of dates worldwide, many countries observe this day on the third Sunday in June.


Father's Day Observances
WeekdayDateYearNameHoliday Type
SunJun 202010Father's DayObservance
SunJun 192011Father's DayObservance
SunJun 172012Father's DayObservance
SunJun 162013Father's DayObservance
SunJun 152014Father's DayObservance
SunJun 212015Father's DayObservance
SunJun 192016Father's DayObservance

A Small Video Presentation to reminder all of us, that he is the person, who spent his whole life just to see us smiling, and today we don't even bother to listen their requirement for even 5 min a day. Please watch this video by Amplifon India, this video remind us, warned us about our mistakes, please spent your time with your father, not only as well as with your parents, before its to late. 


A gentle reminder of how we forget to listen to those who have spent their lifetimes listening to us.

Video Credit - Amplifon India

Small Ideas to gift your father in this fathers day, to feel make special to him-

Father's Day will be observed on June 19 this year as it is celebrated on the third Sunday of June in most parts of the world. If you are already throwing away most gift ideas and turning to the internet for answers, here are some suggestions for gifts that every father might actually love to have.

Getting a greeting card, cufflinks, mugs with World's Best Day quotes, perfumes and clothing are some of the ordinary choices, but if you really wish to give something out of the box, look at the current trend. Technology has become a major part of our daily lives as we constantly rely on smartphones, tablets, internet, smartwatches and other tech gadgets for various purposes and it would only make sense to have these products to make the most of it.

Keeping in mind that not all kids can afford the pricey iPhones, they also wouldn't wish to settle for a plain and simple greeting card (although it's the thought that counts), here are some gift ideas that most of us can afford.

Smartphone

It is not quite often that we see our fathers change their smartphones. But as the tech world advances, it is best to have the latest device. In India, the intense competition among smartphone companies has led to a price war and the need to pack top-of-the-line specs. There are plenty of smartphone choices for shoppers that can easily fit into any budget.

If you are looking for smartphones under Rs. 10,000, there are handsets like Lenovo Vibe K5, Meizu M3 Note and Coolpad Note 3 Lite. Smartphones sub-Rs. 20,000 are pretty cutting edge with premium features. Some of the devices you can get include LeEco Le 2, Lenovo ZUK Z1, Motorola G4 Plus and more. If your budget permits you to go up to Rs. 30,000, there are worthy devices like LeEco Le Max 2, Xiaomi Mi 5 and OnePlus 3, all of which can easily offer the experience of a premium flagship device.

Smartwatch
Wearables are slowly catching grip into the tech world. It would be nice to give your dad a break from the regular Titan or a Rado and replace it with a smartwatch, where he can actually get all the smartphone notifications, track his fitness and stay updated with the latest tech trend.

There are a plenty of choices in the smartwatch segment. Samsung, LG, Huawei and Motorola have a series of smartwatches that look like regular wrist watch but offer all the smart functions. If you are looking at some budget options, there are companies like Wickedleak, Intex, Alcatel and others.

Fitness tracker
It is important to stay fit and healthy and technology is doing its bit to contribute just as much into that area. Although smartwatches these days come with most fitness tracking features, however, fitness trackers are designed just to do that without the distractions of smartphone-related functions. Almost every smartphone manufacturer offers a range of fitness tracking wearables.

Fitness trackers can help your dad keep a track of daily activities, sleep and stay fit and healthy. Companies like FitBit, Misfit, Jawbone are some brands known for their fitness trackers. However, options are not limited in this category. There are affordable options as well from companies such as Xiaomi, Intex, Swipe and Micromax YU. Fitness trackers can be a very thoughtful gift this Father's Day.

Chromecast
Who wouldn't like to stay entertained? With regular cable and dish options, televisions are mostly on a loop with same TV shows or repeated movies. Add more spice to your dad's entertainment life with Chromecast dongles, which will connect a normal HDTV to internet to stream YouTube and cast content from smartphone wirelessly.

Power bank
For the dads who are always on the run and have no time to charge their phones, a powerbank can actually save the day to make that important call home or a text to client. Power banks come in different sizes and capacities. Xiaomi, OnePlus, Sony, Ambrane and many other companies offer a wide range of power banks for as low as Rs. 599 and upwards.

Virtual reality headset
Let them experience the world of virtual reality and see how the technology has grown over the years. You can easily find affordable VR headsets, which let you insert a smartphone to work as a display, online from Amazon India for as low as Rs. 200. But if you are looking at better quality VR headset, it may cost you around Rs. 1,000.

Recliner sofa/chairs
Nothing adds up to good comfort while watching TV or reading morning newspaper while sipping tea. Recliner sofas are extremely comfortable and can certainly make your dad happy. They will come in great use on a daily basis and you can never go wrong with this gift choice.

Recliners are usually priced higher than the regular sofas, mainly because of their mechanical functions. Urban Ladder has a variety of recliner sofa sets and single chairs starting from Rs. 12,999. If your dad is a fan of F.R.I.E.N.D.S TV series, Tribbiani Recliner can be a well-thought gift, which costs Rs. 16,999.

No matter what gift you purchase for your dad, make sure you add a personal touch to make it special. It could be in the form of a hand-written letter showing how much love him or a gesture to compliment his support through your ups and downs.

Ebook : Revolution 2020: Love.Corruption.Ambition



100%25%20PP
   118.00
  • M.R.P.:    176.00
  • You Save:    58.00 (33%)
  • Inclusive of all taxes
 FREE Delivery. Cash on Delivery eligible.
In stock.
Sold by Buy Books India (4.7 out of 5 |3,311 ratings) and Fulfilled by Amazon. Gift-wrap available.



 Download Pdf

Limited Period Offer Free Download 


 About The Book
A tale of dreams, ambitions and unrequited love, Revolution 2020: Love. Ambition. Corruption. explores the lives of three friends from Varanasi, while also painting a stark picture of the country's corrupt political landscape.
Gopal and Raghav are friends who hail from different backgrounds, but share a common hunger for success and realizing their dreams in life. Gopal, whose family has been mired in a never-ending property dispute, yearns to break out and amass wealth, while Raghav harbors dreams of disrupting the political milieu with his ideas of revolutionary change. Their lives take a surprising turn when they fall in love with a mutual friend, Aarti-a move that adds a new layer of complexity to their existing relationship. Aarti, meanwhile, is torn between her feelings for the defiant Raghav and ambitious Gopal. The plot thickens as Gopal gives in to the corrupt system that Raghav is trying to fight to fuel his thirst for riches. Will the volatile situation turn the friends against each other? Will Raghav be successful in his quest for rapid social change? And more importantly, will their closely entwined love lives alter their future forever? in Chetan Bhagat's signature style, Revolution 2020: Love. Ambition. Corruption. charges forward to answer all these questions.
The book was published in the year 2011 in paperback.


ABOUT CHETAN BHAGAT - 
Chetan Bhagat is a renowned columnist, speaker, and author from India. He has also written other books like 2 States: The Story Of My Marriage, Five Point Someone: What Not To Do At IIT, The 3 Mistakes Of My Life, Revolution 2020, Half Girlfriend and What Young India Wants.

He was born in 1974 in New Delhi. Bhagat studied at Army Public School, New Delhi, and went on to obtain his degree in Mechanical Engineering from the Indian Institute of Technology, Delhi. He also holds an MBA degree from the Indian Institute of Management. After finishing his degrees, he began working in Hong Kong as an investment banker. Bhagat has also received many awards such as the Publisher’s Recognition Award and Society Young Achiever’s Award. In the year 2010, Bhagat was listed among the World’s 100 Most Influential People by Time magazine. Four of his books have been adapted into films.

Thursday, 16 June 2016

Samsung 10 W USB Travel Adapter Battery Charger



Payment Option -

CASH ON DELIVERY



List Price: Rs. 525
Rs. 231 56% OFF
Selling Price
(Free delivery)

Sold By 
Instatainment

Stock
20 


Specifications of Samsung 10 W USB Travel Adapter Battery Charger (White)(Copy)

IN THE BOX
Sales PackageTravel Adapter
GENERAL
BrandSamsung
Model10 W USB Travel Adapter
TypeWall Charger
ConnectorUSB
ColorWhite
WARRANTY
Covered in WarrantyWarranty of the product is limited to manufacturing defect only.
Warranty Summary6 Months

Wednesday, 15 June 2016

Monsoon in the door !! More Rains To Lash Kolkata As Monsoon Knocks The Door

Kolkata is likely to continue with its rainy affair for the next few days as well. Weather conditions remain conducive for the prolonged spell of rains as Monsoon is just round the corner.

The Southwest Monsoon has already covered some parts of West Bengal and is likely to cover remaining parts of the state including Kolkata in the span of 3-4 days.

After recording rains for past two consecutive days, Kolkata remained dry on Tuesday. However, a cyclonic circulation is now seen over Bihar and adjoining Jharkhand. A trough is also extending from the system up to North Bay of Bengal across Gangetic west Bengal.

The system is likely to trigger light to moderate rain and thundershowers over the capital city during the next 24-48 hours. Few isolated spell may also occur. Not only this, another Monsoon system is brewing in east-central Bay of Bengal that will further enhance the rain activity over Kolkata during the coming days.

So far in June, the city has already recorded 115 mm of rain as compared to its monthly average rainfall of 283.5 mm.

In wake of the rainy spell, day temperatures have taken a significant dip, paving way for pleasant weather conditions. However, humidity may cause little discomfort. On Tuesday, Kolkata recorded day maximum at 30°C that was four degrees below normal.

While, night temperatures are settling near normal on account of high levels of humidity. Minimum temperature recorded on Wednesday morning was just one notch below normal and settled at 26.3°C.

Image credit: en.wikipedia.org