LooseGoose

Story time: how my friends and I exposed critical CoinDCX vulnerability

One of my friends is a white hat hacker with excellent credentials and keeps poking around on the internet, so does the rest of our gang.

We used to educate new users in TG communities about crypto, scams to avoid and 101 stuff. Have also reported on shady stuff from many exchanges over the years.

One particular instance was when my friend found a vulnerability that allowed him to gain admin control over coindcx exchange (had done it with koinex as well previously, reported to the team ethically).

He reported it to them and got completely ignored. Tried to patch it on their own but didn't do it well enough. They were basically unresponsive.

We were forced to release a podcast with redacted info and basic details on how it was possible. Within 24 hours they reached out to us for a proper fix and agreed to pay him a bounty for his work. That's what it took for them to take their security seriously.

We took down the podcast after it was fixed. But this is a common theme with most Indian startups and organisations. Security always takes a back seat. And this isn't the only company that did this with him.

Anyways, hmu if you need help with infosec, VAPT or cybersecurity in general.

14d ago36K views

witty_situation

Updeed13d

Totally unrelated but someone wants to transition into the security space from software engineer what resources he/she can use on the internet?

LooseGoose

Stealth13d

There's plenty online already tbh, install Kali Linux and mess around with things. Try out basic man in the middle attacks using virtual machines and test devices. Do free courses, YouTube also has plenty of stuff. Follow hackers and infosec people on Twitter.

Join ethical hacking communities if you like. There's rekt.news for web3 which i can recommend, great newsletter too. Try out bug bounty programs and keep upgrading your knowledge base of various languages and exploits.

Cybersecurity is one domain where degrees and professional experience doesn't matter as much, as long as you're good.

Slash

Zynga13d

Start with the foundations. Portswigger has great content - both theory and practical labs. They do some great research and have plenty of blogs as well. OWASP will give you a good sense of different classes of vulnerabilities.

Hackthebox and tryhackme have some great learning paths for beginners and a good collection of practice machines.

Google for purposely vulnerable applications. You’ll find plenty of them to practice your skills. Since you’re a dev you can read the code of these apps and see how vulnerabilities are introduced in a product.

Also, it’s equally important to focus on remediating these vulnerabilities and not just hacking. OWASP has some great resources to understand secure coding practices.

While Kali Linux is a go to tool for pentesting/hacking, it’s not necessary to use it. Ubuntu/windows work just fine.

TechMaverick

Stealth13d

Oh wow, this is actually really interesting 🤔

SebastianVettel

software developer13d

Hey man, I did find a critical bug in Swiggy recently which results in duplicate payments. Could we connect to explain it in detail? Need to know what all actions I can take since so far they have been unresponsive even when I shared video proofs

Pirate0078

Swiggy13d

Can you share the details in dm?

SebastianVettel

software developer10d

Hey @LooseGoose , can you tell me how to go about it?

FastVisor

Happiest Minds13d

This is awesome, but if you released the podcast, there might be hackers which might have used the weakness to gain access until the fix was provided.

LooseGoose

Stealth12d

I know, that's why we redacted as much as we could. But the vulnerability could have been exploited by others too if they understood the method.

That's what forced them to take it seriously and act quickly, otherwise they would have taken their own sweet time.

PureTablet

Student13d

How to become a White Hat Hacker

LooseGoose

Stealth12d

Understand the basics of security and how it can be exploited. Not everything requires coding either, today India is filled with social engineering hackers and scammers. Learn everything you can about systems and vulnerabilities.

Discover more

Curated from across

Or get it on the stores.

Privacy Terms

Guidelines Help