ReallyVirtual, a fellow blogger from Lahore accidentally stumbled across a major security flaw, a few weeks back, within the website of the Lahore Electric Supply Corporation (LESCO) http://www.lesco.info/. It must be kept in mind that LESCO’s original public page is at http://lesco.gov.pk, but this alternate website seems to be geared towards the support personnel. Accessing the lesco.info website via the customer service link at http://www.lesco.info/mc/ guides you to their Human Resource Management System log-in page which incidentally already has the Guest login and password pre-filled for your convenience.
Once into the system a search around the website using the various convenient search options shows some remarkable information about the electricity consumers in Lahore. Designed by a Lahore based firm called Clicksoft (http://clicksoft.com.pk/) who claim to be a groundbreaking software development organization providing high-end technical solutions … vast experience of Enterprise Resource Planning (ERP) software solutions for demanding mission critical environments in, retail and wholesale, manufacturing, financial services lead by the Lahore based CEO Naseem Ahmad.
I have no idea if this data is deliberately placed online or it is an accidentally link into the back-end portal system, luckily one only comes across the names and addresses of all ‘in-process’ applications within LESCO system, no explicit revealing data is publicly displayed but ReallyVirtual, an IT professional, analyzes the system to rightly point out this easy backdoor access unfortunately opens the door for script kiddies to exploit the system by simple SQL injection techniques and be gifted with truck load of highly private and sensitive information which may be stored elsewhere in the system.
LESCO must be urgently urged to shut down their online system with immediate effect taking Clicksoft to task for this major security flaw ensuring that such a mistake was never to happen again.
A shoutout to ReallyVirtual for discovering this leak and then taking time to explain it to us, it must be noted that no harm has been done to the LESCO system at the filing of this report and a few screen captures were indeed taken simply to report the leak to the world.
Comments
3 responses to “Lahore Electric Supply Corp (http://LESCO.info) – Honeypot for Privacy leaks”
We are made for the darkness and we are kept in the darkness therfore we will remain in the darkness.
reham karo pakisan pr.allah rasool ka wasta.we are badly affected due to absence of electricity.
so many people are loss their job only due to your negligence
o hello stop load shedding…
wrna qayamat k din ill not leave yew ppeople…..