How to Hack Lahore Electric Supply Company Website
submitted 3 months 22 days 13 hours ago by: albatros : 13 comments
Okai this is hilarious and of course quite concerning as well in this article i ll teach you how to hack the website of Lahore Electric Supply Companies Website and access all there data regarding there applications and issues.
Apart from that you can also access Personal Private Information that should be under customer privacy easily from Name of the LESCO customer to his address and everything.
Step 1: Log On to http://www.lesco.info
Step 2: Go to Customer Service from the left side bar http://www.lesco.info/mc/default.htm
Step 3: The user name and password fields are already filled just click "Enter Now"
You will successfully log into LESCO database and get access to all the information of there customers, you can search people and you can feel happy about following things:
- How Easily LESCO has violated our privacy
- Imagine if your credit card bill is available online like this ... for the world to see
- You dont have to be a genius to hack a Pakistani Website
- Lets waite and see if they read this post and do something about it
Comments
My goodness.... it really is true. Are these guys crazy or what. The whole database of all the ELectricity connections in Lahore is openly available to the whole world and LESCO is least bothered about it. Even if it is a mistake, its the most rediculous one I have ever come across.
cool..... :)
Well.. correct me where I am wrong..
Its seems to be a database of Electricity installation application forms.. and status of them. Although the way they did it seems bizzare... the login 'guest' and default password might also suggest that its a search engine.. web applications really dont have 'guest' login.. it could be 'intentional'...
Well Postman, if that really was the intention, then the search should have been restricted to Application No, Consumer ID, OR at most with Consumer Name & Consumer Address. The database however is completely open for all to go through. I mean what is the sense in giving the option to make available all the Installed Connections in all the months of all the years ?
What do you say.
I already stated it.. its a poor implementation. What else have you been able to extract from this site apart from the paramters you already mentioned? I dint explore the whole. (why does my last statement sound so indecent?! :p)
its a simple violation of privacy of customers,and LESCO should be SUED for that ...
What has been revealed?
Well it seems the database has just been pulled down - I can access the Login Screen but after that its a blank page - whatever post they read it may have worked that resulted in a sudden panic disconnect
There is a 'refined' approach to the issue at KESC's website.. give the account number and you'll get a history of bill payments for example. My limited time there at LESCO website did not indicate any 'potent' information reveal... perhaps I dint dig deep...
@ Teeth Maestro
The database is still up there and is very much accessible. Just checked it.
@ PostMan
Are you verifying all other Electricity Supply websites ! Try Gas, Telephone and Water also.
Well maybe my cache is acting up - but I just checked the HTML source code and it seems the Password in the login field is PASSWORD itself ;) how brilliant
<code>
<input style="border-color: blue blue black; background-color: white; color: black; font-size: 17px;" name="form_password" size="25" value="Welcome" type="password">
</code>
sorry typo on that - the password value is WELCOME
well, apparently, they did read this post cuz i can't get through:P