hacker, security researcher; alum @cis_india, @hasgeek; blog at karansaini.com

New Delhi, India
can’t forget this legendary tweet
74
260
3,173
This is a bold, pale faced lie from @svaradarajan. As of 3:52 PM, Devesh Kumar's phone number is still connected to the Gmail account mentioned in this tweet. Those who have his phone number can obviously verify. This may change soon, so please corroborate.
2
197
657
Thanks to this, I now know that you have an Airtel phone number attached to your Aadhaar (99XX5XX977)
Replying to @kingslyj
My Aadhaar number is 7621 7768 2740 Now I give this challenge to you: Show me one concrete example where you can do any harm to me!
45
248
488
Spotted: Graffiti in Bangalore advertising the URL for an onion service.
15
30
348
I'm beyond thrilled to have gotten an opportunity to work on this project. Folks, keep an eye out for the BBC's upcoming documentary on loan apps coming out on October 11.
This is India’s deadliest scam. But who’s behind the abuse? #BBCEye goes undercover to expose the people profiting from misery, fear, and shame. #TheTrap, coming October 11 #BBCDocumentary #LoanAppScam
10
61
304
34,511
what a deluded man
3
1
179
This is just to say I have compromised the database that you mandated upon us with which you had probably intended to take our rights Forgive me it was effortless so vulnerable and so unsecure
5
78
176
this but animated in a quirky, fun way
176
A demonstration of the content modification capabilities revealed as part of @thewire_in's Tek Fog investigation series. The page content and URL were modified by taking advantage of a cross-site scripting (XSS) vulnerability present on the @LiveLawIndia website.
1
54
126
Buried halfway in the YouTube Terms of Service update email is this tidbit: "if you are a publisher of news or current affairs content, you are required to furnish the details of your accounts on YouTube to the Ministry of Information and Broadcasting, Government of India.
2
86
131
I published a list of over 2,700 websites known to be blocked on @ACTFibernet's network. While not completely representative of all blocked websites, this list may still be of use to those attempting to research the scale of web censorship in India: github.com/qurbat/act-censor…
5
43
110
New blog post: Extracting personal phone numbers linked to Aadhaar karansaini.com/extracting-aa…
8
77
112
Not only this, but the email address included in that tweet also has 2FA, as you can see in the second and third screenshots.
1
24
107
As pointed out to me, while it is possible that his accounts, cellular device, and computer have all been compromised at once in some sort of coordinated operation, I personally believe such a scenario to be highly unlikely.
1
21
102
This is not a statement. It is an omissive misrepresentation of Apple's documentation of their threat notifications feature.
2
29
100
5,148
A case of hardcoded credentials and misconfigured routers — exposing dozens of thousands of @ACTFibernet connections in India: huffingtonpost.in/entry/act-…
6
59
79
I urge people to carefully read the wording of this post. It irresponsibly downplays the significance of the spate of security notifications sent by Apple to various opposition party members and journalists alerting them of attempted state-sponsored targeting of their phones.
#apple issues statement “Apple does not attribute the threat notifications to any specific state sponsored attacker. State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future.”
2
20
70
7,655
The chats so far shown in the news contain the ‘phonenumber@s.whatsapp.net’ artefact with each message, which is indicative of data extracted from the ‘msgstore.db’ file present on phone of the sender or recepient
In a way, have to be thankful to Navika Kumar to make people more serious about privacy & security. It is important to know that the leaks are deliberate, and the source are the security agencies and Navika is no hacker. The Govt lies when they tell you that your data is secure.
1
21
67
A historic parallel from Vietnam in 1963. time.com/3791176/malcolm-bro…
1
4
58
In response to the claims made by UIDAI regarding the #Aadhaar story, here's a video demonstrating the enumeration of the endpoint and exposure of Aadhaar information on Indane's website piped.video/Twep-tZ8rR8
5
76
71
This is great, sadly, "call your local politician and demand library funds" is not an ideal solution for more than half of the rest of the world. People in the Global North have such fanciful notions of morality.
Pirating books and pretending it's some kind of liberatory act is roughly the same as doing a dine & dash at a nice restaurant and thinking you're sticking it to "the man," when actually the waitress will get the cost of your meal docked from her pay.
2
5
58
Of course there are those who have taken these tweets as an opportunity to ring a premature death knell for The Wire's credibility. That is foolish. I'm going to wait for clarifications to be made before convincing myself of - or decisively saying - anything.
1
8
55
.@free_thinker demonstrating a prototype for AltNews’ fact-checking tool at #fifthel
1
16
54
The ‘raw[.]githubusercontent[.]com’ host, which serves files for every single @github repository to users all over the world, has been blocked in India for users of @ACTFibernet, likely at the Govt.’s behest. This will limit and heavily degrade the functionality of the platform.
10
15
45
13,961
New blog post: A 3D Secure implementation flaw which allows an attacker to re-appropriate an OTP that has been generated for a low-value transaction (e.g. 10 INR), for authorizing another transaction of an arbitrary amount (e.g. 1000 INR) karansaini.com/3d-secure-fla…
1
24
40
Two corroborations for the phone number included in the Signal screenshot (which I have been using to communicate with Devesh Kumar for quite some time, now) being the same one that is linked to his Gmail: nitter.app/64_BlT/status/15816024… nitter.app/hatr/status/1581600857…
1
7
35
From today, my piece for @the_hindu on the Election Commission’s experiments with blockchain-based voting thehindu.com/opinion/lead/in…
3
13
37
I reported the cross-site scripting flaw to @LiveLawIndia and they promptly fixed it, however, these flaws are likely to exist on other news websites as well.
1
11
35
What is being done about caller ID spoofing in India? My piece for the Text and Context section in @the_hindu today.
13
36
2,422
Replying to @AnooBhu
nothing of the sort 😳 i just wanted to highlight his outlook on the world
31
The Delhi High Court has held that that right against self-incrimination protected under Article 20(3) of the Constitution extends to the passwords of an accused, i.e., investigating agencies cannot coerce an accused into giving up his or her passwords. A win for civil liberties.
Recently, the Delhi High Court held that no person can be coerced to reveal or disclose their passwords during an investigation against them, upholding their constitutionally guaranteed protection against self-incrimination. 1/5 dhcappl.nic.in/dhcorderporta…
1
20
33
3,456
throwback to when the UIDAI underhandedly referred to me as a “person purportedly claiming to be a security researcher” in response to a security flaw I had reported. the implied depths of the dig are hilarious — though their statement, in entirety, is fabricated and untrue.
We refute the reports in a certain section of media sourced from ZDNet which quote a person purportedly claiming to be a security researcher that a state-owned utility company has vulnerability which can be used to access huge amount of Aadhaar data including banking details. 1/8
3
3
30
3,777
Replying to @SwiftOnSecurity
it's me 😡and i'll do it again!!! it's called reverse-outsourcing, you see. or insourcing for short. enjoy
26
2,548
3
5
26
PsyOp India labeled me as being part of the ‘liberal cabal’ attempting to ‘portray The Wire as the victim of an elaborate hoax.’ This is better than any accolade or recognition I could ask for. LOL.
2
6
27
This is not a good look for CERT-In. If an employee is able to abuse their power this brazenly without being noticed, then what feats could an insider achieve?
CERT-In investigated this matter. Some employees, contesting a case in personnel matter, made a call to Indian Kanoon in their personal capacity asking them to remove the judgment as it puts their names & addresses in public domain. This is not an official communication from Govt
1
11
29
The Election Commission Website Has Put Your Phone Number And Email Address At Risk huffingtonpost.in/entry/elec…
28
23
Attackers exploit cross-site scripting vulnerabilities to steal user data or initiate certain actions from a targeted user's session. The Tek Fog investigation, however, demonstrates that these vulnerabilities are now being abused to manufacture genuine-looking disinformation.
1
12
26
Is my distrust redeemable now? The picture appears to show Devesh Kumar having misled folks at The Wire, not limited only to the story about his accounts allegedly being hacked, but also more maliciously throughout the course of the investigation/publication process.
4
25
Cross-site scripting vulnerabilities allow attackers to execute arbitrary JavaScript code on a web-browser. The content you see in the video was never actually hosted on the @LiveLawIndia website, and was instead rendered in the browser due to the cross-site scripting flaw.
1
9
24
Acronyms are hard
1
2
24
The Supreme Court has dismissed a petition requesting for the source code of Electronic Voting Machines to be made public. The court stated that publishing the source code would make EVMs vulnerable. This line of reasoning is fallacious and ill-informed. m.thewire.in/article/law/sc-…
2
26
27
3,527
The Election Commission of India fixed a flaw in their Right to Information portal that was leaking the name, home address, below poverty line status and other details about every RTI application submitted to them. Story by @JagmeetS13 techcrunch.com/2024/03/07/in…
11
24
2,392
@2600 got this framed :)
1
4
21
The correct question to be asking at the moment: How and why does Indane Gas know who you bank with, especially in a case where you have never been a customer of theirs? Who is providing them with this information?
6
25
23
To be clear, this database was raking in some 2-5 million texts per day for a period of at least two months. Taking a conservative estimate, and not accounting for surges, that would amount to around 120 million records in total, at the very least. nitter.app/zackwhittaker/status/1…
1
11
22
Replying to @ouranosaurus
This is great, sadly, "call your local politician and demand library funds" is not an ideal solution for more than half of the rest of the world. People in the Global North have such fanciful notions of morality.
17
At the recent Kaarana event in New Delhi, I gave a flash talk exploring some methods for partial circumvention of Internet shutdowns. Slides are here: github.com/qurbat/media/blob… piped.video/watch?v=SQHdTeWg…
10
21
Twitter no longer seems to let users know of when a given post has been blocked at the request of the Government. Instead, a nondescript notice is shown, simply reading "This Post is unavailable."
10
22
3,090
dunno how i missed this, but @ecobotnet — a project i worked on along with a few dear researcher friends of mine — won 2022 “Innovation of the Year” at the British Journalism Awards!
The project @EcoBotNet - a long-standing partner in exposing #climate disinfo - just won “Innovation of the Year” at the British Journalism Awards 🎉 Check out their website, built in part from ISD and CASM’s climate dashboards. Eco-Bot.Net
4
20
2,192
I love how all House Committee videos look like they were shot with one particular camera in the 90s
1
17
no ben you have to pay $8 first
16
4,443
This is bizarre. SMS messages with phrases “verification code” or “your OTP” present anywhere within the message content appear to be blocked as well.
Airtel’s screening your SMSes for certain words it seems. medianama.com/2022/03/223-ai…
1
11
19
wisdom ⁦from @thegrugq
1
3
17
13,071
This has almost nothing to do with the security of WhatsApp ‘servers’ as people are alluding, and rather deals with how WhatsApp stores message data on phones (that is, in plain text.)
2
5
20
Folks are having some trouble understanding this, so here is a short summary: DMs are never “deleted”—rather only withheld from appearing in the UI. The archive feature lets you view these DMs, as well as any others with now suspended, or deactivated users
Twitter stores your DMs, even if you’ve deleted them nym.ag/2DKGqld
6
11
17
Folks, @bbcindia is hosting in-person OSINT training workshops across a few Indian cities in February 2023. If you’re a journalist, researcher or enthusiast interested in the subject, check out and fill the form linked below by December 31, 2022. docs.google.com/forms/d/e/1F…
13
20
2,574
The most important takeaway here is that E2EE by itself will not ensure message confidentiality. If either device is confiscated, then the only factor left is how message contents are stored locally (and how easily retrievable they are)
1
12
18
Throughout 1998 & 1999, the 2600 Hacker Quarterly dedicated several of their magazine cover pages to bring attention to the "FREE KEVIN" campaign. The campaign played a significant role in helping Kevin Mitnick receive a more lenient sentence following his arrest in 1995.
1
4
17
1,686
Replying to @cyb3rops
PricewaterhouseCoopers? more like PricewaterhouseBloopers, lol am I right or am I right, folks
16
7,038
In the first half of this year, Amazon received and processed a sizeable amount of requests for data, of which 8.9% were from the Indian Government (i.e., 2,400 of 26,972 requests). This does not include AWS data. What kind of data exactly is the Government after?
1
14
18
As the UIDAI issues yet another statement in an attempt to underplay the recent Aadhaar data security incident, my piece from September 2018 on how the authority is attempting to perform damage control for a system that is crumbling at its very foundation: thewire.in/tech/uidai-aadhaa…
11
17
Are you questioning the credibility of anyone who is currently/has previously worked with CIS? You will be making a pretty long list, if that is the case.
16
The issues reported here still have not been fixed in whole. A detailed report with more information should be out sometime next month
BREAKING: Over 70 government webpages provide unsecured access to demographic Aadhaar authentication, which could be exploited by hackers seeking to unmask full Aadhaars. @digitaldutta and @iasni both found the vulnerability independently.
12
18
The issue demonstrated in the video has been fixed now, some 15 hours after the original article was published. This comes after about a month of no response from UIDAI and/or the affected company.
In response to the claims made by UIDAI regarding the #Aadhaar story, here's a video demonstrating the enumeration of the endpoint and exposure of Aadhaar information on Indane's website piped.video/Twep-tZ8rR8
2
22
16
A shortened URL would probably be ideal for this attack since the payload is ... well, very long. As an added bonus, with a shortened URL, an attacker would also be able to generate a convincing link preview when circulating an article on WhatsApp (or elsewhere).
2
3
15
This project now catalogues over 6,000 websites known to be blocked on the @ACTFibernet network. A list of 1,156 websites blocked by @HathwayBrdband has also been added to the repository as of this update: github.com/qurbat/blocked-ho…
I published a list of over 2,700 websites known to be blocked on @ACTFibernet's network. While not completely representative of all blocked websites, this list may still be of use to those attempting to research the scale of web censorship in India: github.com/qurbat/act-censor…
1
5
15
2,789
I will be presenting a talk on leveraging web application vulnerabilities for reconnaissance and intelligence gathering purposes at @jsfoo 2019! Do attend this Friday if you are in Coimbatore :) hasgeek.com/jsfoo/2019-coimb…
6
15
A great piece from a few years ago by @anmol_smnch thewire.in/economy/aadhaar-f…
1
8
15
i’ll be talking about upi-recon with #cashlessconsumer this saturday. the talk is free and open to all to attend; registration not required. link to the slides and for joining the zoom meet will be made available on this page soon: hasgeek.com/cashlessconsumer…
announcing the release of upi-recon: a command line tool for UPI payment address discovery and reconnaissance. check it out here: github.com/qurbat/upi-recon
1
9
14
3,708
Google uses a bunch of factors to determine whether you should be shown that screen, among others, when attempting to reset an account's password. The fact that I am present in roughly the same geographical area helps.
1
2
13
in a garden where else 😒🫡
12
SIM swapping is not possible in India the same way it is in the US due to regulations issued by the Telecom Regulatory Authority of India, so no, it is highly unlikely. dot.gov.in/sites/default/fil…
14
Is the procedure for this described anywhere? How does one make this request? Also, what if they have already integrated e-KYC data elsewhere?
2
3
11
I have provided clarifications wherever necessary, and I’m including your tweet as well in the thread. No one person or institution’s claim should be beyond scrutiny unless it is easily verifiable. I hope you understand. Thanks.
3
1
10
Last week, I had discovered two vulnerable API endpoints that could have allowed malicious actors to query the full name, email, home address and other associated information of ACT Fibernet users. @gopalsathe writes:
A security flaw could have exposed ACT Fibernet users' home and email addresses gadgets.ndtv.com/internet/ne…
1
6
11
People having been saying this for a while: that The Wire was being taken for a ride in an insidious attempt to damage their credibility. The epilogue from Meta's statement on the XCheck debacle reflects what I feel accurately. about.fb.com/news/2022/10/wh…
1
2
11
A response from @onosmosis and @svaradarajan. Awaiting further information. nitter.app/svaradarajan/status/15…
1
2
12
A new draft bill seeks to punish those who mine or trade in cryptocurrencies. As a convenient alternative, the Government has expressed interest in launching a new cryptocurrency, which will be called 'the Digital Rupee'. What is happening? moneycontrol.com/news/busine…
2
4
10
Sharing this response from @svaradarajan again, as the previous tweet was removed for inadvertently having included Devesh’s phone number.
1
2
11
Rethink Aadhaar and Article 21 are organising a people’s tribunal on Aadhaar-related issues, at the end of this month, in New Delhi. The event is free to attend, though you are more than welcome to donate. Sign-up to attend here: hasgeek.com/rethinkaadhaar/a…
13
12
New blog post: Disclosure of account balance and recent transactions on PayPal karansaini.com/information-d…
6
10
not to be one of those people but cultivating a habit of not using social media really helps with mental health lol
2
9
Here is a quick Hindi translation of the document: docs.google.com/document/d/e…
AN INTERNET SHUTDOWN GUIDE friends, a few kind folks and myself have been working on a communication guide for internet shutdowns. Access the link here: sarkar.icu Please note that this is a work in progress and will be regularly updated for the next few days
5
11
I highly recommend watching this talk by Ramakrishnan N, on the importance of community radio as a method of long term dissemination of information: piped.video/T1PpAHdDziA
4
11
How is this at all different from any of the previous closed door analyses of the EVM? Claims of security need to be open to contestation; special, closed committees are not the way to do it.
Election Commission takes note of the concerns raised by the former IAS @naukarshah on #EVM -VVPAT, orders technical experts to probe whether #EVM -VVPAT are vulnerable to manipulation, reports @poonamjourno. thequint.com/elections/elect…
6
11
They removed it from their website. Here is an archive of Google's cache of it: web.archive.org/web/20191101…
1
11
11