Baptiste Robert Profile picture
Jan 17, 2018 18 tweets 14 min read Twitter logo Read on Twitter
1. I'm tweeting a lot these last days, let make a quick recap
2. @Gioneeglobal, a Chinese phone maker who sell his phone in the US under the name @BLU_Product, made a phone for #NorthKorea. Afaik, they didn't make a public statement.

3. @OnePlus removed the #angela backdoor I found last November from his products

4. I published the decompiled source code of the #DPRK's RedFlag #android app.

5. I found hundreds of infected #android apps with a #Coinhive miner: The site is still up.

6. @makemytrip is tracking his users without their consent. 8 days after this tweet, they didn't make a public statement or contact me.

7. The password of local database in the official #Aadhaar #android app is always the same. 7 days after, @UIDAI didn't make a public statement or contact me.

8. @UIDAI don't know how to sign an app correctly. They didn't make a public statement or contact me.

9. I found 2 "test apps" on the official @UIDAI #playstore account. They didn't contact me but removed the apps few minutes after my tweets.

10. Found 2 ways to bypass the password protection in the official #Aadhaar #android app. @UIDAI didn't make a public statement or contact me.

11. After caught a basic Git error made by @aadhaar_bridge (@KhoslaLabs). They removed their entire aadhaar-bridge repo on #Github. We had a discussion but they didn't explain why they removed it.

12. Found a security issue in the @aadhaarapi's website. They contact me and fixed the issue. I will disclose the details soon.

13. Another bug in the #Aadhaar app. @UIDAI didn't make a public statement or contact me.

14. I found 100 malwares signed with the private key of @lorensiuswlt. He contacted me and denied to be the author. He said he uploaded his private key on the web few years ago.

15. I found a #coinhive script on the @lorensiuswlt's website. He contacted me and took his website offline.

16. @safelyfiled which keep sensitive docs, records, assets and directives digitally #secure is vulnerable to a basic #XSS. They didn't make a public statement or contact me.

17. @NewIndianXpress, an #Indian newspaper is vulnerable to a basic #XSS. They did not make a public statement or contact me.

All this work had been done for free (am I stupid 🤔?), if you want to support my research and pay me the coffee, feel free to send me BTC to this address 382rGcim5vDpztHyy9EDnvtLuAAasJHrEi

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Aug 30, 2018
Let's see how #WhatsApp is encrypting your attachments 1/n
In a #WhatsApp conversation, I sent a TTF file 2/n
In my phone, this TTF file is stored in the sdcard. To be precise here: /sdcard/WhatsApp/Media/WhatsApp Documents/Action_Man.enc 3/n
Read 10 tweets
Jul 28, 2018
The phone number linked to this #Aadhaar number is 9958587977
According to an official @nicmeity circular, this phone number is the number of your secretary….
Is it really your #Aadhaar number @rssharma3?
Read 13 tweets
Jul 13, 2018
Hi @KamalAditi,

Challenge accepted!

Please find below the first flaw of #Kimbho app 2.0 aka how to get the online status of #Bolo users
First thing first, we are talking about this app "Bolo Messenger - Secure Chat, Voice & Video Calls" which is the new version of the #Kimbho app…
When you send a message with the #Bolo app, it is checking if your contact is online with this request. The endpoint is taking the "contact userId" (the 1st black rectangle in the picture)
Read 10 tweets
May 2, 2018
People are stupid... A Youtube account called "DIGISEVA CENTER" showed how to bypass ECMP software in this video
Of course if you like the video you can donate to the Paytm account 7041704604
Thanks to his Paytm account you can find his Facebook page
Read 6 tweets
Apr 13, 2018
Time for a new thread. The #android #application called @moinsbete is one of the most downloaded applications in France. This app is sending without your consent your personal data to @mopub:
- location
- operator
- mcc
- mnc
- country
- screen size
Yes, all these requests to @mopub are HTTP requests... Welcome to 2018...
This is a very good example of data abuse. Every time you open the @moinsbete #android #app with location on, your location is send without your consent to an US based server owned by @mopub
Read 9 tweets
Apr 8, 2018
I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
The samples are available on @koodous_project and @virusbay_io
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!