Ahmed Mehtab, a white hat hackerĀ and a student of HSSC-II, recently identified a vulnerability in the blogĀ of Matt Cutts, Google’s webspam head.
The particular vulnerability existed in one of the modules used in the blog. It allowed for full path disclosure. With that exploit, information such as full hosting path and username for hosting company were available.
After Ahmed contacted Matt with the information on the exploit, he thanked him on email and Twitter. He alsoĀ wrote a post on his blog about ways to fix the full path disclosure vulnerability which you can see here.
@ahmedmehtabpk I just wanted to say thanks for point out the path disclosure issue on my blog. It’s fixed now. Thanks again for your help!
ā Matt Cutts (@mattcutts) February 18, 2015
A self taught white hat hacker, Ahmed Mehtab has previouslyĀ worked on helping companies discover bugs and exploits. Some of them are:Ā Motorola, Concise, Nokia, Fastmail , Cyber Secure Pakistan,Ā Ultraspectra among others.
Notification of a particular DNS vulnerability in Motorola’s website which allowed an attacker to download files from their serversĀ drew appreciation by Richard Rushing, the head of Motorola’s Security Team. Concise Courses offered Ahmed free passes for courses on their online portal after they fixed a bug through his help.
After he finishes high school, AhmedĀ plans onĀ getting certified and helping Pakistan in the mounting cyber war againstĀ rogue groups and nations.
Amir Bhai Ap Waqay He Daily Itney Passay Kamatay Hain??
Ya Ye Website Bakwas Ha???
nahi sir… itnay paisay nahi bantay. Han agar meri traffic US ki hoti tu itnay ban saktay hain. Pakistani audience par itnay paisay nahi bantay.
For further explanation, read this: https://propakistani.pk/2010/03/18/why-a-pakistani-website-earns-32-times-lesser-than-any-american-counterpart/
Muje lagta hai aap bhi US,UK ki traffic kay chakkar main ho :P
ye facebook walay saray earn ker rahay hain, kisi kay sath monthly deal ker lo ya bolo to main kerwa deta hun US ki audience walay page pay ;)
Jee shukriya :-)
Aamir Bhai, I live in US and I visit your site at least 4-5 times,
Sir apki kamal meherbani. Ye baat ProPakistani kay liyae honor hai k aap U.S sy bethay isay visit kartay ho, pta nehin Aamir Bhai apka ye ehsaan kis terha utaar payien gai :D
He keeps us informed, isn’t this enough??
Agar proxy k through visit karain to? main UK ki ip say visit kar raha hoon, is say koi farq parta hay kia earning revenue per?
aisay farq nahi parta koi
This is news? The blog is a PERSONAL non-google-hosted blog.
Secondly… it’s a dumb PHP problem with WordPress plugin. I am sure you are bored of me making fun of PHP, but really… this is not high achievement.
Uncle for your information vulnerability is vulnerability now dont get jealous and Allah jise chaye izat de aur jisy chae na de tum kuch nai ker skty jalty rho FDP is a vulnerability and matt cutts ne bhi ye accept kia ha
Man all I am saying is that it’s a a boring ordinary problem with PHP sites.
Something that hundreds if not thousands of servers are affected with and have been for a while.
The only ATTEMPT at making it a headline is that the Google antispam person just happened to use it. Use it, not even Write it.
That is like finding a problem with a LED TV and then making a headline just because some random famous person also owns it. Is that really newsworthy as much as the actual problem? no.
Come back when you find a real problem.
Don’t worry jealous man, one day you will get award of being stupid, ignorant and jealous from Propakistani.
Sick minded person !
He is a bit nuts, true, but certainly 10 times more knowledgeable and skillful than all propakistani readers. If he could do away some of his strange tendencies, he would make one fine high level executive in some reputable tech org.
hahahahahhahahha
who he?
you are shahid saleem, idiot you don’t have guts to reply from your ID.
Don’t make people fool here.
hahahahahhaha…!!! Kya Ho Rha Hai Bhai Jan…!!! Relax Relax!! Here you can’t win a war :D
So the person who uses someone else’s name and display pic thinks I am jealous. Hmm…..
whatever, but I didn’t say I think, I’m sure
Why you don’t make your own blog, Uncle? Your English level is better than Aamir Aatta I could guarantee. Then we will see what type of News do you publish then we will all go together on your blog to criticize your PHP news etc. :D :P :)
But I do have my blog. Two blogs! One from 2005 and one from 2003. They are updated on an infrequent basis.
But here is the important thing: I don’t use my blogs to earn money, so I feel zero pressure to post sensational articles or posts with misleading titles. As such they are not important to you.
WOW! Please give me the links of your blog. I’ll be your regular visitor.
I will be a visitor… and commenter there, promise.
I think you did a comment at wrong side, you should comment to Shahid Saleem :D I’m asking him, but he isn’t responding to me. Perhaps he can tell you. :P
@shahidsaleem:disqus! Please tell me your blog, @aamir7:disqus and I will be your visitor. I will be an honor for me. :)
dear , you are not aware of hacktivism and cyber world related to security in our world it is considered as achievement and for your information its a vulnerability and hackers can take its advantage so a web developer must patch it before someone can take its advantage , even matt accepted and appreciated so who are you for whom i care ?
Don’t argue with him, you didn’t heard that arguing with a stupid person makes you a stupid person.
hahah yep right sir ,
please do add me on facebook if you are i want to be social with you http://www.facebook.com/sniperhaxor , http://www.twitter.com/ahmedmehtabpk
hahah right and i will answer such peoples with my hard work in upcoming days Inshallah
and I wonder he didn’t read full news that he worked for other companies like Motorola , Nokia etc and guy is in high school now.
I bet if he, Shahid want to work for these companies, they may hire him as a sweeper or cleaner, not more than this.
Thats least expected of a Zaid Hamid fan girl. Great leader, great flock. All hail…and then haul all these out :)
“didn’t heard” No we didn’t heard. Did you heard? Keep following your herd lest you get lost :D
hahaha bbc ho tum tu yar. In YOUR world, is it indeed an achievement. Andhon mein kana raja. But in world of educated and experienced people, it means squat. Matt is a goraa, and a very civilized man. If you even hand him a cup of coffee, he would thank you for that. If his RT has inflated your ego so much that you are ridiculing others, I can see your teen-ness. Good luck :)
Perhaps I should inform him that his RT is making you crazy and you are misrepresenting it as an endorsement of your ‘capability’. He will then delete the RT. Ja jaa kar an parh logon ko ullu bana. Waisy tu yahan bhi bohat hein. Shouldnt they all throw some parties celebrating your ‘achievement’ ?
o kitna jalay ga bhai, bus ker day, apna user id hai to kyun as unknown comment ker raha hai.
whatever you say, everyone know you are shahid saleem.
go get a life idiot
My first comment was “He is a bit nuts…” But keep thinking its Shahid Saleem. lol I am justifying myself to a random nobody who for some deranged reasons, decided to be despicable Amir Liaquat in virtual world. Like dad, like son, eh?
hahahahahha whatever you say stupid, why you act like another person?
maybe unable to answer like people can’t in front of their dad?
jugat baaz, apni oqaat par aa gya ab. Ja kar ammi ko jugatein maro, online nahi. Amir wannabe. btw, words like “stupid” and “idiot” are used by uncouth girls. gtfo could u pls ? Your nose is getting too much brown.
hahaha lagta hai bardasht nahi ho raha, please let me know your address, I;m gonna send fire brigade because someone’s a** is burning like hell
bahi log, yahan larai mana hay… pls be friendly and constructive.
janab ab log khud he start hotay hain ye jantay hue bhi kay agay Mohtram Dr. Amir Liaquat hain jo TV pay kisi ko nahi chortay.
otherwise I’ve never use such language
But what does that have to do with the anti spam person? Nothing.
Now if it was some Google ***Security*** person that would be embarrassing. Bit you know what? It doesn’t seem like google security employee s use php. Now what does that tell you about php?
As far as the attack goes, there is so much crappy php code that really a hundred new attacks will be out by April. Yawn.
kuch jal raha hai .oh ye to jelousy ki bu aarahi hai
You are not very knowledgeable of you think php holes make me jealous. I truly despise the language. Php holes are found every month the and in terms of scale, this one is nothing.
Well come to the point what about i found the dns side vulnerability in Motorola and reported 4 malicious vulnerabilities there , reported 1 to nokia , reprted 2 to samsung , now get jealous baby
post details and we’ll see.
Teri baat aisi hi, degree asli ho ja ja’ali, degree hoti hi. Vulnerability bari ho ya petty, vulnerability hoti hai. I bet you cant type the word vulnerability without aid of spell checker. Just ask Google to offer you a job now as their security head hahaha :D
We are not short of attention whores. The list just grew by one.
hahahahahhaha
Shahid Saleem, log out from Disqus and commented as new user.
Do you really think that only Shahid Saleeem will laugh at this “ridicuous” achievement where a kid whose balls havent even dropped yet, is acting superior? Shows your limited knowledge and insight into such things. Things like you were applauding and cheering con men like Ammar Afzal. It does not get worse than that. Mind you, that real professionals and capable people rarely visit blogs and all that. They spend their time doing better things than engage in fights with veelay and awaara ___ like you :)
jal jal k apna moun kala kerle bc kamenay kutay
On the contrary, professionals do visit blogs. They are just less likely to get into idiotic comment wars :):):)
Waqt say pehlay paisa oor Izzat achi nahin hoti. That’s what has happened with you Ahmed Mehtab. Look at your choice of words for someone who is much older and much experienced than you. You may not agree to someone’s views but you should atleast be humble and respectful when you disagree with someone. You might have done a great job but the way you have responded has lowered your respect and mind it, your humility is something that pays off, not your ultra super technical skills.
Agree!
Yar ap kese insaan ho ? khudi comment kerty ho aur khudi replay kerty ho fake comments ka ? Allah apko jaza de esi achi soch rakhne ka aur rhi baat meri tu ma kuch bhi nai hun ye izaat Allah ki ata kerda ha aur wo jisey chaye de aur jisey chaye na de
No Brother!! I did’t write the above comment that you’re mentioning. If a person write such a comment, I’ll never like and comment he knows people can easily identify. If you see the time of my liking and comment you will feel the differnce then why I didn’t comment the comment at the same time. I swear I didn’t write the above comment. If you’re doubting, please trace the IP address of the above comment and my comment. Perhaps! @aamir7:disqus can help! He knows myself best, he knows how my English level is etc. Again, if you hurt due to my response “Agree”, I’m really really Sorry!
sorry ma upar waly ko cmnet ker rha tha
Really appreciate you
Thankyou big b :)
aaala bOy (:
:)
Aala oye!
:) <3
Yoo ! Proud to be your friend <3
Congratulations brother stay blessed always.
Congratulations Ahmed #PakistanZindabad :)
Wah Wah Jani…. Kiya Baat Hai Teri…. ;) Humen to pehle he yaqeen tha lekin opposition wale thore pange kr rhy thy….. :D
Muhammad Ahmed aka Sniper Haxor
brilliant
A news for FPD in a wordpress plugin, come on my man seriously, Pakistani’s are doing a lot good in bug hunting you never post those news items that actually deserve to be here. :/
In fact I am very surprised there is still no story or warning about Lenovo laptops on this blog. How can anyone miss such a huge story of this week???
Maybe thats because, that news is not related to Pak, but yes thats a big news too, but this post here is totally a joke. A lot of Pakistani Security researchers have done and are doing big things. Its unfortunate that they dont get a news. a news about FPD on a wordpress plugin is slap to Pakistani information Security community.
hahahhahahahh Amir sahab i am using adblock so no money from me , sirf mufta
have better solution for you, ublock for Chrome or Firefox
works same as adblock, even uses same lists, and block syntax
but uses A LOT LESS MEMORY AND CPU
Par masla yeh hay k Rizq Allah nay daina hay app nay nahi :-)
I was also using Adblock, but when I saw this comment, I unblocked Adblock for Propakistan forever. Sorry! If you hurt!
LOL, that’s nice of you :-)
i dont find 17feb tweet related to ahmed. lol no words for you guys.
scroll to the top and select “tweets and replies”. it is a reply so it shows in a different page.
You do not need to fight over this. What is going on below is idiotic from both sides of the arguing people first of all yes php is a very poor language and word press is full of bugs and yes Ahmed mehtab did not uncover this vulnerability first of, it is a known problem in some old versions of Word press and PHP (and it is known from quite sometime) . Read this article https://www.owasp.org/index.php/Full_Path_Disclosure for info. But again this does not mean that Ahmed mehtab did not achieve anything his achievement is worth mentioning and worth a page of any tech news site and i am proud of my fellow brother and Pakistani Ahmed mehtab keep it up brother and work hard. When a person uncovers a vulnerability that is not known in such a widely used software like word press he becomes worldly famous and i see the talent in Ahmed mehtab to achieve that too because at this age and this just wow man. To round up my tiny article what Ahmed mehtab did actually and clearly in this particular case ? It is that he discovered that a particular blog has that known vulnerability why ??? because that blog or the hosting server which was hosting the blog was using an old version of PHP/wordpress. Now this does not take anything away from Ahmed mehtab because it needs self study hard work and research to find known vulnerabilities in sites (sadly in Pakistan we know our education level alas) ,yes it takes only a program and some scripts you will need to learn and run against your target but no one will teach you that stuff and information about that stuff is scattered and incomplete on the internet .This is the one of the most difficult info to find among any thing you will search on the www. So kudos to Ahmed mehtab ,he is a talented kid and this should be appreciated.
Look! I found out that “+” can be used to add things! Like 3+5 = 8! Wow! Now give me international recognition too!!!!