Skip to content

Weaponizing your information!

Published by Adnan Malik on August 25, 2020

Disclaimer: This blog is purely for general public and end users! If you are a hacker or bug bounty hunter you can skip this blog.

“Hello!! Is this Adnan Malik, who attended a community dinner yesterday at XYZ company?” said the caller.

“Yaass! How may I help you?”

“Actually, I am ******, the communication manager from XYZ (who met me last night), and I want to share this opportunity with the people who were with us last night. Blah blah blah ………………….!”, he added.

“Sounds good!”

“We are keeping this event private due to security reasons, not even advertising it publicly. The winning prize is $4K. If you are considering this, do send 5K on this contact number (Easypaisa) for registration. Have a good day!” the call ended.

One of my friends, an ethical hacker and security researcher, was delivering a workshop to school kids on phishing attacks and gave them a real-life demo of it for which he played victims on me. But guess what, I almost believed it! As soon as the call ended, I shared this opportunity with my team members. I was planning to submit a registration fee as I had high surety about the opportunity being bona fide until my friend called me again and told me the whole story. I was almost phished. I might not send the amount, but at least, I didn’t doubt the call a bit. It was legitimate to me.

The workshop I was phished for : )

Okay! But how did my friend know about the dinner, XYZ company, and the communication manager? You get it very much right! I shared a dozen pictures and moments from the event on WhatsApp and Snapchat. Without any hurdle, he got to know much of the information from last night, and it is not a tiresome task to fool somebody with that information.

We are living in a digital world. Every single of our click, keystroke, search, message, post, snap, video is being recorded in our Digital Profile. So far, everyone knows that this information is used for advertisement purposes. But what if I open this up to you that this information can be used against you. Your digital profile and the information it has, can be exploited in so many divergent ways by hackers to hack you, access your private data/files or internal network. Your data is no more used only by advertisers only but is also vulnerable to cyber criminals.

I am not sharing any kind of trending incident or someone else’s experience of such exploitation. The stories I am going to shared, is purely my own experience of finding vulnerable and exploitable info of a user. All of them were informed by me later and no malicious actions has been carried out.

Some similar vulnerability inducing information posted by people online without knowing the possible outcomes turned out to be lucky as they were informed by me rather than getting exploited by black hat hackers. So, let’s get started with some cases of similar nature being explored by me.

Case 1: The QR code:

While scrolling Facebook feed, I came across a post. The photo is the post was a typical picture of an event card. But something caught my eyes.

As you can see, the picture attached above is a participant card of some international tour/event and has a QR code on it. What are you going to do? Yes, so I scanned it, and it was a critical docs file shared with the participants only. The file contained all of the sensitive information, the accommodation, sim card, weekly schedule, link to the private chat group, link to Google Photos album, transport, and essential contacts. I could see their whole records. A bad guy could dig down these albums and groups for further information and can use it against not only this participant but all of the other participants as well. Just imagine a single photo leading to enormous harmful consequences.

Case 2: Router Credentials

A hacker doesn’t do extraordinary things. He/she has an eye to focus on minute details. While scrolling, I came across some pictures shared by a company.

It looks like a usual picture. But what caught my attention was a paper pasted on a pillar. I zoomed in, but as Facebook compresses the quality of the photo, it wasn’t clear enough to be readable. I was sure; it must be WiFi credentials or some sort of rules mentioned on the paper, but I was much sure about credentials as it’s common practice in private(internal) offices and co-working spaces. Due to the low quality of the image, I couldn’t figure it out. Suddenly, an idea hit my inception; “Twitter doesn’t compress the quality of uploaded photos,” and within the next moment, I find out the twitter handle of the company. And yes, they have had shared the same image on Twitter, plus the photos had almost the original resolution. Indeed, it was the WiFi credentials. Game over, I guess!

Now, suppose those credentials caught the attention of a hacker, sitting outside or in the side area of office, connecting to the internal router. In that case, he/she can monitor all their network traffic, which may contain their sensitive information, credentials, banking info, and much more. Hackers can also use an unsecured Wi-Fi connection to distribute malware. If you allow file-sharing across a network, the hacker can easily plant infected software on your computer. Some ingenious hackers can do snooping and sniffing.

Case 3: Public Posts and Comments:

Almost every social media has a privacy setting, whether the posts are desirably public or private. Many of us share our emotions, secrets, and reveal personal information, confidential, untold, crucial details on social media without knowing the negative consequences. Social Media is about Sociology and Psychology more than Technology. There are many incidents of such nature where advertisers, hackers, or bad guys used information in the worst manner against the ones who shared it. Here’s my part. I was going through a profile that was suggested by Facebook.

In one of the posts, the comments were like this. Pretty standard, Nah? But wait! These comments indicate that the victim has Formaspassphobia (Habit of forgetting password). Apart from that, this is the third account of the victim. This info made me assume that this account must have some sort of weak password. So I created 15 to 20 passwords list, and indeed I found the correct password. I know everybody has numerous weak passwords, but exposing your multiple hidden points makes it easy for hackers and saves his time to hack. Now Imagine this with the cyber-criminal. They could use it in many ways. However, being a white hat, I did not do anything terrible. Instead, I sent them a message to change their password and helped them in securing their account.

Everything can be weaponize:

A similar natured case, where a friend shared his screenshot of the giveaway he received without blurring the coupon code or the link and someone else used it before he did.

There are many other cases of such incidents where XYZ company shared an offer on Facebook and asked their followers to comment down their emails, mentioning some lucky winners will get free stuff from the company. Hacker saw the post and the emails being commented; created a fake email with the name of the company; wrote an email to all of the emails from the comments about their selection. He exploited all of them by hosting a phony login/malicious site, or sending them malicious attachment in an email and did much more than that.

Phishing and Vishing can be identified easily, but once a hacker gets to know what exactly you want, what exactly you are going to do, and what exactly you have done, in a matter of minutes, he can fool with just a simple text. The more information hackers have about you, the easier it is to make click baits for you. The more precise data hackers have about you, the more it’s easier to fool you.

Final Words:

More such incidents are taking place regularly, but everything can’t be shared with the general public. I hope you got what the point is. War is 90% of information-based. The more informed your enemy is about your details and confidential terms, the more you are vulnerable and exploitable. Companies have been hacked by sharing such news and information. You can google about it and you will see hundreds of incidents like this where companies got hacked due to sharing information without prior knowledge.

2000: Think before you speak.

2010: Think before you click on something.

2020: Think and understand before you share or post

Here is a small podcast from team Secure Purple. I hope watching this will summed up the whole story.

Be internet alert!

Written by:
Adnan Malik & Sineen Saleem

Published inSecure Purple

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *