Story time: how my friends and I exposed critical CoinDCX vulnerability
One of my friends is a white hat hacker with excellent credentials and keeps poking around on the internet, so does the rest of our gang.
We used to educate new users in TG communities about crypto, scams to avoid and 101 stuff. Have also reported on shady stuff from many exchanges over the years.
One particular instance was when my friend found a vulnerability that allowed him to gain admin control over coindcx exchange (had done it with koinex as well previously, reported to the team ethically).
He reported it to them and got completely ignored. Tried to patch it on their own but didn't do it well enough. They were basically unresponsive.
We were forced to release a podcast with redacted info and basic details on how it was possible. Within 24 hours they reached out to us for a proper fix and agreed to pay him a bounty for his work. That's what it took for them to take their security seriously.
We took down the podcast after it was fixed. But this is a common theme with most Indian startups and organisations. Security always takes a back seat. And this isn't the only company that did this with him.
Anyways, hmu if you need help with infosec, VAPT or cybersecurity in general.
Talking product sense with Ridhi
9 min AI interview5 questions
Totally unrelated but someone wants to transition into the security space from software engineer what resources he/she can use on the internet?
There's plenty online already tbh, install Kali Linux and mess around with things. Try out basic man in the middle attacks using virtual machines and test devices. Do free courses, YouTube also has plenty of stuff. Follow hackers and infosec people on Twitter.
Join ethical hacking communities if you like. There's rekt.news for web3 which i can recommend, great newsletter too. Try out bug bounty programs and keep upgrading your knowledge base of various languages and exploits.
Cybersecurity is one domain where degrees and professional experience doesn't matter as much, as long as you're good.
Start with the foundations. Portswigger has great content - both theory and practical labs. They do some great research and have plenty of blogs as well. OWASP will give you a good sense of different classes of vulnerabilities.
Hackthebox and tryhackme have some great learning paths for beginners and a good collection of practice machines.
Google for purposely vulnerable applications. You’ll find plenty of them to practice your skills. Since you’re a dev you can read the code of these apps and see how vulnerabilities are introduced in a product.
Also, it’s equally important to focus on remediating these vulnerabilities and not just hacking. OWASP has some great resources to understand secure coding practices.
While Kali Linux is a go to tool for pentesting/hacking, it’s not necessary to use it. Ubuntu/windows work just fine.
Oh wow, this is actually really interesting 🤔
Hey man, I did find a critical bug in Swiggy recently which results in duplicate payments. Could we connect to explain it in detail? Need to know what all actions I can take since so far they have been unresponsive even when I shared video proofs
This is awesome, but if you released the podcast, there might be hackers which might have used the weakness to gain access until the fix was provided.
I know, that's why we redacted as much as we could. But the vulnerability could have been exploited by others too if they understood the method.
That's what forced them to take it seriously and act quickly, otherwise they would have taken their own sweet time.
How to become a White Hat Hacker
Understand the basics of security and how it can be exploited. Not everything requires coding either, today India is filled with social engineering hackers and scammers. Learn everything you can about systems and vulnerabilities.
Can I get the link to join the tg community
Our group is private, not for newbies. Otherwise you can check out public groups/communities like rekt news, blockchained India, casual crypto hangout, decentralised.co etc.