How I Hacked Actor Vijay’s Political Party Website (Tamilaga Vettri Kazhagam - TVK)

Source: Infosec Writeups – How I Hacked Actor Vijay’s Political Party Website

A security researcher discovered sensitive user documents publicly accessible on actor Vijay’s political party website (TVK). The exposed data included personal details of multiple users, highlighting a severe data privacy vulnerability.

You Should Know:

1. Identifying Exposed Directories

Use tools like dirb, gobuster, or `wfuzz` to scan for open directories:

gobuster dir -u https://tvk-party-website.com -w /usr/share/wordlists/dirb/common.txt -t 50

Explanation:

-u: Target URL
-w: Wordlist for brute-forcing directories
-t: Threads for faster scanning

2. Checking File Permissions

If the server misconfigures permissions, sensitive files (e.g., .env, config.php, user_data.xlsx) may be exposed.

curl -I https://tvk-party-website.com/secret-documents/userlist.pdf

Expected Output:

If `HTTP/1.1 200 OK` appears, the file is accessible.

3. Extracting Exposed Data

Use `wget` to download exposed files for analysis:

wget https://tvk-party-website.com/exposed/user_data.csv

4. Reporting the Vulnerability

If no official reporting mechanism exists, follow responsible disclosure:

1. Document the issue with screenshots.

2. Contact the organization via email (e.g., `[email protected]`).

If no response, escalate via platforms like CERT or HackerOne.

5. Securing Your Own Web Apps

Prevent similar leaks with these steps:

Disable Directory Listing (Apache):
```
Options -Indexes
```
Restrict File Access (Nginx):
```
location /private/ { deny all; }
```

Use `.htaccess` Protection:

AuthType Basic 
AuthName "Restricted Access" 
AuthUserFile /path/to/.htpasswd 
Require valid-user

6. Automating Security Checks

Run a quick vulnerability scan with Nikto:

nikto -h https://tvk-party-website.com

What Undercode Say:

This case highlights the dangers of misconfigured web servers and poor access control. Organizations must:
– Regularly audit file permissions (chmod 600 for sensitive files).
– Implement Web Application Firewalls (WAFs) like ModSecurity.
– Conduct penetration tests before deployment.

Key Commands Recap:

 Check for open ports 
nmap -sV tvk-party-website.com

Find hidden directories 
ffuf -u https://tvk-party-website.com/FUZZ -w wordlist.txt

Secure file permissions 
chmod 700 /var/www/html/private

Prediction:

Unsecured political and organizational websites will continue to be prime targets for data breaches unless secure coding practices and automated security scans become standard.

Expected Output:

A detailed report on exposed data.
Proof-of-concept (PoC) for the vulnerability.
Mitigation steps for the affected organization.

IT/Security Reporter URL:

Reported By: Rejen Thompson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

You Should Know:

1. Identifying Exposed Directories

Explanation:

2. Checking File Permissions

Expected Output:

3. Extracting Exposed Data

Use `wget` to download exposed files for analysis:

4. Reporting the Vulnerability

1. Document the issue with screenshots.

2. Contact the organization via email (e.g., `[email protected]`).

5. Securing Your Own Web Apps

Prevent similar leaks with these steps:

6. Automating Security Checks

Run a quick vulnerability scan with Nikto:

What Undercode Say:

Key Commands Recap:

Prediction:

Expected Output:

IT/Security Reporter URL:

Join Our Cyber World:

Related Posts: