NCC Mobile County App Security
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched. And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
Ebu shed more light on this. On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Conservatism is the adherence to the old tried against the new untried.
My fear is malicious guys on this list, but let's just say here's their site, has directory browsing enabled. Check it out http://212.22.176.89/ncc/mobile/ If they by mistake leave a file with sensitive data (and webmasters sometimes do) thinking nobody can get the file, it can easily be downloaded, no need for any special tools, just browse and download. The icing on the cake: Their web requests are done over http, not https, even a kid with wireshark can sniff your PIN while you're at java paying for parking, not to mention the fact that their requests are hard coded to that IP. I'm not a security expert of any kind, and I figured all this out in less than 30 min playing around with it. I can only imagine what the expert penetration testers will uncover. On 8 February 2015 at 13:21, TheMburu George <themburu@gmail.com> wrote:
Ebu shed more light on this.
On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Conservatism is the adherence to the old tried against the new untried.
And Whats the issue mr John On 7 Feb 2015 15:30, "John K. via skunkworks" <skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
@Nyamboki, you do not see any issue with what John K has described? Developers tend to leave .zip and .sql files lying around in the webroot, especially just before or after uploading a new version. It is usually named the same as the folder which one can figure out from the URL. At least I used to do that when I was young and foolish. On Sun, Feb 8, 2015 at 5:48 PM, David Nyamboki via skunkworks < skunkworks@lists.my.co.ke> wrote:
And Whats the issue mr John On 7 Feb 2015 15:30, "John K. via skunkworks" <skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
To the webmaster/developer of that website, here are some quick fixes: 1. Put an empty index.html or index.php in the web root, plus in each folder 2. Make sure your apache is set to read .htaccess files, then put a .htaccess at the webroot with the following directive: IndexIgnore * 3. Set PHP not to display errors 4. Disable apache server signature, theres no need to let everyone know which version of PHP you are using, why? Because of this <http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-170304/PHP-PHP-5.5.15.html> . 5. You do know that xampp is not meant to be used in production, right? On Sun, Feb 8, 2015 at 9:13 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
@Nyamboki, you do not see any issue with what John K has described?
Developers tend to leave .zip and .sql files lying around in the webroot, especially just before or after uploading a new version. It is usually named the same as the folder which one can figure out from the URL. At least I used to do that when I was young and foolish.
On Sun, Feb 8, 2015 at 5:48 PM, David Nyamboki via skunkworks < skunkworks@lists.my.co.ke> wrote:
And Whats the issue mr John On 7 Feb 2015 15:30, "John K. via skunkworks" <skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Eh! I think things are worse than John K said. Whoever is working on that website, please fix it immediately. On Sun, Feb 8, 2015 at 9:22 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
To the webmaster/developer of that website, here are some quick fixes:
1. Put an empty index.html or index.php in the web root, plus in each folder 2. Make sure your apache is set to read .htaccess files, then put a .htaccess at the webroot with the following directive: IndexIgnore * 3. Set PHP not to display errors 4. Disable apache server signature, theres no need to let everyone know which version of PHP you are using, why? Because of this <http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-170304/PHP-PHP-5.5.15.html> . 5. You do know that xampp is not meant to be used in production, right?
On Sun, Feb 8, 2015 at 9:13 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
@Nyamboki, you do not see any issue with what John K has described?
Developers tend to leave .zip and .sql files lying around in the webroot, especially just before or after uploading a new version. It is usually named the same as the folder which one can figure out from the URL. At least I used to do that when I was young and foolish.
On Sun, Feb 8, 2015 at 5:48 PM, David Nyamboki via skunkworks < skunkworks@lists.my.co.ke> wrote:
And Whats the issue mr John On 7 Feb 2015 15:30, "John K. via skunkworks" <skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
http://212.22.176.89/ncc/mobile/enforce/uploads/ [?] On Sun, Feb 8, 2015 at 9:38 PM, Peter Karunyu via skunkworks < skunkworks@lists.my.co.ke> wrote:
Eh! I think things are worse than John K said.
Whoever is working on that website, please fix it immediately.
On Sun, Feb 8, 2015 at 9:22 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
To the webmaster/developer of that website, here are some quick fixes:
1. Put an empty index.html or index.php in the web root, plus in each folder 2. Make sure your apache is set to read .htaccess files, then put a .htaccess at the webroot with the following directive: IndexIgnore * 3. Set PHP not to display errors 4. Disable apache server signature, theres no need to let everyone know which version of PHP you are using, why? Because of this <http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-170304/PHP-PHP-5.5.15.html> . 5. You do know that xampp is not meant to be used in production, right?
On Sun, Feb 8, 2015 at 9:13 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
@Nyamboki, you do not see any issue with what John K has described?
Developers tend to leave .zip and .sql files lying around in the webroot, especially just before or after uploading a new version. It is usually named the same as the folder which one can figure out from the URL. At least I used to do that when I was young and foolish.
On Sun, Feb 8, 2015 at 5:48 PM, David Nyamboki via skunkworks < skunkworks@lists.my.co.ke> wrote:
And Whats the issue mr John On 7 Feb 2015 15:30, "John K. via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Contact the dev http://212.22.176.89/ncc/mobile/enforce/uploads/IMG_20150121_185633.jpg pictured here :) Good week everyone ! Rgds *_______________________________________________________________We must Keep on, We can't stop here * On Sun, Feb 8, 2015 at 11:59 PM, Haggai Nyang via skunkworks < skunkworks@lists.my.co.ke> wrote:
http://212.22.176.89/ncc/mobile/enforce/uploads/
[?]
On Sun, Feb 8, 2015 at 9:38 PM, Peter Karunyu via skunkworks < skunkworks@lists.my.co.ke> wrote:
Eh! I think things are worse than John K said.
Whoever is working on that website, please fix it immediately.
On Sun, Feb 8, 2015 at 9:22 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
To the webmaster/developer of that website, here are some quick fixes:
1. Put an empty index.html or index.php in the web root, plus in each folder 2. Make sure your apache is set to read .htaccess files, then put a .htaccess at the webroot with the following directive: IndexIgnore * 3. Set PHP not to display errors 4. Disable apache server signature, theres no need to let everyone know which version of PHP you are using, why? Because of this <http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-170304/PHP-PHP-5.5.15.html> . 5. You do know that xampp is not meant to be used in production, right?
On Sun, Feb 8, 2015 at 9:13 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
@Nyamboki, you do not see any issue with what John K has described?
Developers tend to leave .zip and .sql files lying around in the webroot, especially just before or after uploading a new version. It is usually named the same as the folder which one can figure out from the URL. At least I used to do that when I was young and foolish.
On Sun, Feb 8, 2015 at 5:48 PM, David Nyamboki via skunkworks < skunkworks@lists.my.co.ke> wrote:
And Whats the issue mr John On 7 Feb 2015 15:30, "John K. via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Looks like they've taken measures to resolve those issues? On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Hi, Looks like they patched. Regards On 9 February 2015 at 10:31, Allan O. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Looks like they've taken measures to resolve those issues?
On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- James M. Muendo P.O Box 28016 - 00200, Nairobi. Mobile: +254725 567 508 Skype:tim.rick | Twitter: @MMuendo | gtalk: timrick | Web: www.muendo.co.ke <james@muendo.co.ke> <http://muendoshead.blogspot.com/>
Seems they may have patched the site, still waiting for a fix for the app. I'll keep checking, for now the previous advice remains. Do not use the app until they at the very minimum, enforce SSL. On a side note, can the devs explain why they are using a hard coded IP? If the IP tomorrow is not available, all installed apps become useless? Many users have no idea how to update apps, so, saying you'll force an update is not an option. On Monday, February 9, 2015, Allan O. via skunkworks < skunkworks@lists.my.co.ke> wrote:
Looks like they've taken measures to resolve those issues?
On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks < skunkworks@lists.my.co.ke <javascript:_e(%7B%7D,'cvml','skunkworks@lists.my.co.ke');>> wrote:
Anyone know the dev's of the Nairobi County App at JamboPay? Need to notify them of some serious security concerns in their app. Seroius to the point that I won't use the app until they are patched.
And if anyone on this list uses it, please don't use the same PIN you use for other secure services like Mpesa, atm etc until these issues are patched.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <javascript:_e(%7B%7D,'cvml','skunkworks@lists.my.co.ke');> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (8)
-
Allan O. -
David Nyamboki -
Haggai Nyang -
James Muendo -
joe mwirigi -
John K. -
Peter Karunyu -
TheMburu George