At the beginning of May, we reported that a number of Indian ISP started blocking their subscribers from accessing BitTorrent sites, and even Vimeo, just before the launch of a Bollywood motion picture. Many were discontent with the decision, but one of these individuals decided to do something about it.
After seeing that Reliance, one of the ISPs in question, went further and blocked even Pastebin, a hacker called Isac decided to check out the security measures the firm implemented to safeguard its infrastructure.
“So about a week ago I had the tried accessing pastebin.com and it was also blocked. That was the last straw so I hacked into the netsweeper panel [of Reliance] that is really, really vulnerable. I did it in like 5min's tops and had obtained full permissions to add any URL to the block list and modify the error pages,” Isac told Softpedia.
For instance, an attacker can add Google.com to the deny list and attribute it a custom error page. This page can be designed to replicate the genuine site, but a malicious piece of code can be hidden inside it.
Isac explains that this could be leveraged for a number of purposes, depending “on the hacker’s imagination.” He can create a fake pop-up that requests the user to install an update, or he can embed an exploit code that could rely on the vulnerabilities in components such as Java to download malware.
The worrying part is that all Reliance customers would be affected.
The hacker claims that he has no intention of causing any damage, his single purpose being to demonstrate that while Reliance is committing an abuse, the company doesn’t even bother to ensure that its systems are safe.
He states that the security holes he found could allow any cybercriminal to easily infect the computers of the Reliance customers.
“How can such a huge telecom like Reliance be so careless about their customers? I want to show that Reliance is doing something that is totally unjustifiable and it’s only thinking about the profit to the company when they are doing this, as many people use vimeo.com and other file sharing sites for other purposes than illegal file sharing,” he added.
“I also want to raise the question of the legality of such a block and to show how pathetic the security they use to implement these blocks is.”
He believes that the flaw he used to gain access to the ISP’s systems is a zero-day, which affects not only Reliance, but also other major Internet providers.
Finally, to prove that he isn’t looking to cause any damage, but to raise awareness, Isac even proposes a fix for the issue.
“The only fix that I can suggest for now that will not affect the system is to use longer passwords so the password hashes cannot be cracked, and to remove the other default users and change the password of the root SQL user that most netsweeper systems have by default,” he explained.
However, this method is only somewhat of a workaround, the company being the only one that can permanently address the issue.
Isac provided a number of screenshots to prove his findings.
Update. The article has been updated to detail the risks posed by the vulnerability.
Also, Isac states that he had some help from another hacker called hackthis29.