Thus Spaketh Idd Salim

My Interesting half-day at Safaricom headquarters, Westlands

by on Jul.14, 2010, under Symbiotic, Zunguka

So, Today at 9:54am, I checked in after a thorough security search for metals and other things like screw drivers, hacksaws and pangas etc; stuff that can be used to HACK servers. (Fck! As I blog here, I remembered just I LEFT MY ID THERE!)

So we were welcomed with the usual ‘leteni IDs’ Kenyan greeting and we waited to be led to the training room. I sat on row 1 and the training started at 10:01 Sharp. Bwana Dennis Makau was out tutor and this guy really knows his stuff. Lively and not a boring monologuesue jamaa. He took us through all we wanted to know. He had rich knowledge of kila kitu. 10 outta 10.

Mpesa is REALLY one powerful tool, especially to developers.

Then came the tea break. I stole the chance I took my time to take the SmartTV ladies and the Sarova team on hwo they can really leverage Mpesa (powered by the virtual or dedicated modules of pay.Zunguka.com to maximize their profits and improve customer care, to a level Mpesa does not deliver – Last mile.)

After my pitch, Still at the tea-break, I checked out the Dell Sites and Gmail and Decided, “let me check my website”. Ha! Bummer!

IddSalim.com is Blocked from Safaricom LAN

And then came the hack

As you would expect, I couldn’t just sit there with all my skills. So i decided to chokora kiasi.

No, I did not escalate my privileges, get access to MJ’s PC and download data from their SQL Servers etc, like all my hack-mates would have expected. I am a Whitehack hacker, remember? I just prodded the systems. I discovered quite a few things.

1 – Mpesa Web Interface source code is susceptible to SQL Injection.

Mpesa Input not 100% Sanitized.

I took Mr Makau through a process where the Vodacom Mpesa SSL Certificate can be spoofed and replicated to grant access to rogue machines. Also, I mentioned to him the logic bug where after an account has been closed, the user session gets ‘bamboozled’ and the interface gives DB Server information.

But all in all I was really, really impressed with the accounting procedures and logic, flow logic and overall eagle-eye view of the system.

As a business tool, the Mpesa web Interface is perfect. But it’s security was well-thoughtwell-googled… but not well-consulted.

Back to code!

:, , , , , ,

  • http://www.mbuguanjihia.com/ Mbugua Njihia

    well-thought… well-googled… but not well-consulted :-)

  • Rutodenis

    the Training was good

  • http://twitter.com/Afrowave Afrowave

    Idd, its good to know that Safcom stuff CANNOT read your blog. Imagine what “injections” that would do to the human resource.

    The DB injection possibility is kind of suprising since we get “enough” exploit warnings from PCWorld articles and white papers. However “harray” for being a “outstanding” Kenyan. Si kawaida.

  • iddsalim

    hahhahaa.. You are making me sound evil.

  • Edwinabuga

    That they let you inside the building is a surprise. I think you're beginning to soften up to safcom. They dint ask the guy from the sim registration ad to give you a call, did they?

  • .. yet another noob

    halaa! safcom invited u into [of all places], there HQ…. jeez! it would have made more sense if they'd invited some alshababs.

    am telling u salim…. those guys r up to somethng! stay sharp!

  • that vb-n00b

    … just tried registering on pay.zunguka.com. the captacha's missing.

  • Falafulani

    I don't get the point of your visit. You were being trained on what aspects of M-Pesa?

  • iddsalim

    C2B model…

  • iddsalim

    u tried when I was updating something.. try sasa…

  • John

    Isn't that a training platform you have displayed here. Its not the real thing so its not expected to be secured i guess.

  • iddsalim

    Well, that is what we all hope, isnt it? Sadly, the only thing that was for training, was the account. We were using the LIVE system.

  • Dd

    …. 1 year later, i go in, and its still no sanitization (i’d imagined that this page was well monitored, and that a fix was made minutes after the above fix)
    … btw, is it fixed on the real interface?

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Kenyan Blogs Webring Member

Possibly related


Blogroll

A few highly recommended websites...

Archives

All entries, chronologically...