Since last week the 17 years old security pentester has been in headlines for his activities of ‘raising security awareness’ among the government and educational organizations after they neglected his reports of such flaws, and the efforts seem to paid off for the duo ‘Kapustkiy’ and ‘Kasimierz.’
While giving an interview to the SecurityAffairs, the young pentester said he has ambitions to work in the Cyber Security industry.
Last week, Kapustkiy breached the Paraguay Embassy of Taiwan exploiting same SQLi injection flaw to demonstrate inadequate security in Asia.
While searching for simple SQLi flaws, the pentester found and breached two subdomains of the University of Wisconsin and the subdomain of the University of Virginia; the data was spilled on Pastebin including names, passwords, logins, phone, and other information related to students and the staff.
Earlier this month, the pentester with the moniker ‘Kapustkiy’ breached the Indian Embassy of 7 countries Switzerland, Romania, Mali, Italy, Libya, and Malawi. But the Indian Embassy didn’t fix the security issues, which led to another breach of Indian Embassy in New York and a leak of a small portion of breached data excluding US personnel.
Kapustkiy wrote, “I thought they would fix all the vulnerable in their domains and also look at their other domains that maybe could have a simple ”SQLi” vulnerable. So guess what? They did not look at all and only fixed some of their domains SMH.” he wrote, “I’m tired of reporting all the errors that I find on their website that I decided to breach them, NOW FIX YOUR SECURITY.”
The results of such breach? The officials of Indian Consulate General in New York took notice of his efforts and thanked the 17-year-old for helping them find flaws in their security measures.
Joint Secretary of E-Governance and IT, Sanjay Kumar Verma, personally thanked Kapustkiy in a written statement, “Thank you for your advice. We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help. While we appreciate your help, please do not post the details on Pastebin,” which indeed was removed later on, but some non-sensitive information is still available on site.
Head of Chancery, L.T. Ngaihte, said in the statement, “The Indian Consulate has taken immediate actions to ensure the site data is safe. In addition to the New York, Kapustkiy had hacked websites of Indian embassies in countries such as Libya, South Africa, Malawi, Switzerland, Italy, Romania, and dump the information on site pastebin.com.”
At the time of writing the news, reports came about the breach of the government of Italy ‘Mobilitia.gov.it’ website which resulted in the leak of 9000 entries from the database which affected 45,000 users. The attack is an early warning to the government website from Kapustkiy to strong arm their security measures and fixes the issues, he reported the issue to the administrators and hoping to get a reply and get it fixed.
He tweeted, “The website had around 6 databases. I only leaked one of the DB for all those who were wondering. No phones and address are leaked.”