Since last week the 17 years old security pentester has been in headlines for his activities of ‘raising security awareness’ among the government and educational organizations after they neglected his reports of such flaws, and the efforts seem to paid off for the duo ‘Kapustkiy’ and ‘Kasimierz.’
While giving an interview to the SecurityAffairs, the young pentester said he has ambitions to work in the Cyber Security industry.
Last week, Kapustkiy breached the Paraguay Embassy of Taiwan exploiting same SQLi injection flaw to demonstrate inadequate security in Asia.
While searching for simple SQLi flaws, the pentester found and breached two subdomains of the University of Wisconsin and the subdomain of the University of Virginia; the data was spilled on Pastebin including names, passwords, logins, phone, and other information related to students and the staff.
Earlier this month, the pentester with the moniker ‘Kapustkiy’ breached the Indian Embassy of 7 countries Switzerland, Romania, Mali, Italy, Libya, and Malawi. But the Indian Embassy didn’t fix the security issues, which led to another breach of Indian Embassy in New York and a leak of a small portion of breached data excluding US personnel.
Kapustkiy wrote, “I thought they would fix all the vulnerable in their domains and also look at their other domains that maybe could have a simple ”SQLi” vulnerable. So guess what? They did not look at all and only fixed some of their domains SMH.” he wrote, “I’m tired of reporting all the errors that I find on their website that I decided to breach them, NOW FIX YOUR SECURITY.”
The results of such breach? The officials of Indian Consulate General in New York took notice of his efforts and thanked the 17-year-old for helping them find flaws in their security measures.
Joint Secretary of E-Governance and IT, Sanjay Kumar Verma, personally thanked Kapustkiy in a written statement, “Thank you for your advice. We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help. While we appreciate your help, please do not post the details on Pastebin,” which indeed was removed later on, but some non-sensitive information is still available on site.
Head of Chancery, L.T. Ngaihte, said in the statement, “The Indian Consulate has taken immediate actions to ensure the site data is safe. In addition to the New York, Kapustkiy had hacked websites of Indian embassies in countries such as Libya, South Africa, Malawi, Switzerland, Italy, Romania, and dump the information on site pastebin.com.”
At the time of writing the news, reports came about the breach of the government of Italy ‘Mobilitia.gov.it’ website which resulted in the leak of 9000 entries from the database which affected 45,000 users. The attack is an early warning to the government website from Kapustkiy to strong arm their security measures and fixes the issues, he reported the issue to the administrators and hoping to get a reply and get it fixed.
He tweeted, “The website had around 6 databases. I only leaked one of the DB for all those who were wondering. No phones and address are leaked.”
Share this article
About the Author
Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.
More from Peter ButtlerRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...