Recently from many facebook friends and some readers of Medianama has pinged me to know, how i am able to hack Shaadi.com accounts of other. It is very tough for me to reply to each and everyone, so this blog post.
Before I write few points
- I will explain in detail, how i am able to get full access of other people profle
- I have NOT HACKED, they have kept the site open by mistake. I am good guy :-), It is like I have not-unlocked the LOCKER, but they have kept LOCKER open.
What was the hack?
- To edit your profile, i need your shaadi.com userlogin/email + password. But what if i can login as you, without your id and password?
- I can see, To whom you have sent interest, Who all has sent interest to you, You accepted/rejected interest of which user.
- I can change your shaadi.com profile. [Any part of shaadi.com profile] [Text change will go into moderation to shaadi.com, rest all change will reflect instantly]
- I can view your contact/mobile/land line number.
- Simply, I am logged in as you, I can even send interest to other people 🙂 Or whatever i may wanted to do with your profile.
- This hack was not applicable to all and any users, but only some users! But as Shaadi.com is out of top most 50 sites visited in India, that *Some users* count is also not small!
How to do the hack? [PS : Shaadi.com has fixed this, and after his CEO confirmed me on FB, I am disclosing how this was done]
- Open Yahoo,google,bing and copy paste without quote in search box. “eml-trk site:shaadi.com” [Use Yahoo/bing, as it will give you more results, means you can access more profile]
- here is one simple link,
- Now you click on any of the result, you will get access to some users full profile! Yeah, you can edit/change/express interest with those user 🙂
- You think this is Simple & Stupid? Even any 10th pass can get access of many many users in less than a minute time? Yes, you are right.
I Dont Believe
Do check Screenshot.
PS1 : I have masked detail which is either private/personal or sensitive. User’s name is anyway publicly available.
PS4 [Read it carefully] : I have not edited/changed/sent interest etc with any profile of which i was having access. But…. reported immediately to Shaadi.com and Team @ Shaadi has fixed that quickly. However apart from me someone else might be in knowledge of bug and they might have done nasty stuff, So it is best for you to cross check your profile/sent interest/recved interest in detail, You only had sent interest to some person, or Some hacker has sent interest to other on your behalf. Same way, someone has sent you interest or hacker has sent you interest as other person.