Pakistani Identifies Vulnerability in Google Webspam Head’s Blog

Ahmed Mehtab, a white hat hacker and a student of HSSC-II, recently identified a vulnerability in the blog of Matt Cutts, Google’s webspam head.

The particular vulnerability existed in one of the modules used in the blog. It allowed for full path disclosure. With that exploit, information such as full hosting path and username for hosting company were available.

After Ahmed contacted Matt with the information on the exploit, he thanked him on email and Twitter. He also wrote a post on his blog about ways to fix the full path disclosure vulnerability which you can see here.

unnamed

unnamedA self taught white hat hacker, Ahmed Mehtab has previously worked on helping companies discover bugs and exploits. Some of them are: Motorola, Concise, Nokia, Fastmail , Cyber Secure Pakistan, Ultraspectra among others.

Notification of a particular DNS vulnerability in Motorola’s website which allowed an attacker to download files from their servers drew appreciation by Richard Rushing, the head of Motorola’s Security Team. Concise Courses offered Ahmed free passes for courses on their online portal after they fixed a bug through his help.

After he finishes high school, Ahmed plans on getting certified and helping Pakistan in the mounting cyber war against rogue groups and nations.

Talal is the Chief Operating Officer at ProPakistani.


  • PeeDroid MiNi L100

    Amir Bhai Ap Waqay He Daily Itney Passay Kamatay Hain??
    Ya Ye Website Bakwas Ha???

    • aamir7

      nahi sir… itnay paisay nahi bantay. Han agar meri traffic US ki hoti tu itnay ban saktay hain. Pakistani audience par itnay paisay nahi bantay.

      For further explanation, read this: https://propakistani.pk/2010/03/18/why-a-pakistani-website-earns-32-times-lesser-than-any-american-counterpart/

      • Dr. Aamir Liaquat Hussain

        Muje lagta hai aap bhi US,UK ki traffic kay chakkar main ho :P
        ye facebook walay saray earn ker rahay hain, kisi kay sath monthly deal ker lo ya bolo to main kerwa deta hun US ki audience walay page pay ;)

        • aamir7

          Jee shukriya :-)

          • Arsalan

            Aamir Bhai, I live in US and I visit your site at least 4-5 times,

            • KaKa

              Sir apki kamal meherbani. Ye baat ProPakistani kay liyae honor hai k aap U.S sy bethay isay visit kartay ho, pta nehin Aamir Bhai apka ye ehsaan kis terha utaar payien gai :D

              • Arsalan

                He keeps us informed, isn’t this enough??

      • Fake Persona

        Agar proxy k through visit karain to? main UK ki ip say visit kar raha hoon, is say koi farq parta hay kia earning revenue per?

        • aamir7

          aisay farq nahi parta koi

  • Shahid Saleem

    This is news? The blog is a PERSONAL non-google-hosted blog.

    Secondly… it’s a dumb PHP problem with WordPress plugin. I am sure you are bored of me making fun of PHP, but really… this is not high achievement.

    • Ahmed Mehtab

      Uncle for your information vulnerability is vulnerability now dont get jealous and Allah jise chaye izat de aur jisy chae na de tum kuch nai ker skty jalty rho FDP is a vulnerability and matt cutts ne bhi ye accept kia ha

      • Shahid Saleem

        Man all I am saying is that it’s a a boring ordinary problem with PHP sites.

        Something that hundreds if not thousands of servers are affected with and have been for a while.

        The only ATTEMPT at making it a headline is that the Google antispam person just happened to use it. Use it, not even Write it.

        That is like finding a problem with a LED TV and then making a headline just because some random famous person also owns it. Is that really newsworthy as much as the actual problem? no.

        Come back when you find a real problem.

        • Dr. Aamir Liaquat Hussain

          Don’t worry jealous man, one day you will get award of being stupid, ignorant and jealous from Propakistani.
          Sick minded person !

          • aazmoda

            He is a bit nuts, true, but certainly 10 times more knowledgeable and skillful than all propakistani readers. If he could do away some of his strange tendencies, he would make one fine high level executive in some reputable tech org.

            • Dr. Aamir Liaquat Hussain

              hahahahahhahahha
              who he?
              you are shahid saleem, idiot you don’t have guts to reply from your ID.
              Don’t make people fool here.

              • Muhammad Aamir

                hahahahahhaha…!!! Kya Ho Rha Hai Bhai Jan…!!! Relax Relax!! Here you can’t win a war :D

          • Shahid Saleem

            So the person who uses someone else’s name and display pic thinks I am jealous. Hmm…..

            • Dr. Aamir Liaquat Hussain

              whatever, but I didn’t say I think, I’m sure

            • Muhammad Aamir

              Why you don’t make your own blog, Uncle? Your English level is better than Aamir Aatta I could guarantee. Then we will see what type of News do you publish then we will all go together on your blog to criticize your PHP news etc. :D :P :)

              • Shahid Saleem

                But I do have my blog. Two blogs! One from 2005 and one from 2003. They are updated on an infrequent basis.

                But here is the important thing: I don’t use my blogs to earn money, so I feel zero pressure to post sensational articles or posts with misleading titles. As such they are not important to you.

                • Muhammad Aamir

                  WOW! Please give me the links of your blog. I’ll be your regular visitor.

              • aamir7

                I will be a visitor… and commenter there, promise.

                • Muhammad Aamir

                  I think you did a comment at wrong side, you should comment to Shahid Saleem :D I’m asking him, but he isn’t responding to me. Perhaps he can tell you. :P

                  @shahidsaleem:disqus! Please tell me your blog, @aamir7:disqus and I will be your visitor. I will be an honor for me. :)

        • Ahmed Mehtab

          dear , you are not aware of hacktivism and cyber world related to security in our world it is considered as achievement and for your information its a vulnerability and hackers can take its advantage so a web developer must patch it before someone can take its advantage , even matt accepted and appreciated so who are you for whom i care ?

          • Dr. Aamir Liaquat Hussain

            Don’t argue with him, you didn’t heard that arguing with a stupid person makes you a stupid person.

            • Ahmed Mehtab

              hahah yep right sir ,
              please do add me on facebook if you are i want to be social with you http://www.facebook.com/sniperhaxor , http://www.twitter.com/ahmedmehtabpk

            • ahmed mehtab

              hahah right and i will answer such peoples with my hard work in upcoming days Inshallah

              • Dr. Aamir Liaquat Hussain

                and I wonder he didn’t read full news that he worked for other companies like Motorola , Nokia etc and guy is in high school now.
                I bet if he, Shahid want to work for these companies, they may hire him as a sweeper or cleaner, not more than this.

              • aazmoda

                Thats least expected of a Zaid Hamid fan girl. Great leader, great flock. All hail…and then haul all these out :)

            • aazmoda

              “didn’t heard” No we didn’t heard. Did you heard? Keep following your herd lest you get lost :D

          • aazmoda

            hahaha bbc ho tum tu yar. In YOUR world, is it indeed an achievement. Andhon mein kana raja. But in world of educated and experienced people, it means squat. Matt is a goraa, and a very civilized man. If you even hand him a cup of coffee, he would thank you for that. If his RT has inflated your ego so much that you are ridiculing others, I can see your teen-ness. Good luck :)
            Perhaps I should inform him that his RT is making you crazy and you are misrepresenting it as an endorsement of your ‘capability’. He will then delete the RT. Ja jaa kar an parh logon ko ullu bana. Waisy tu yahan bhi bohat hein. Shouldnt they all throw some parties celebrating your ‘achievement’ ?

            • Dr. Aamir Liaquat Hussain

              o kitna jalay ga bhai, bus ker day, apna user id hai to kyun as unknown comment ker raha hai.
              whatever you say, everyone know you are shahid saleem.
              go get a life idiot

              • aazmoda

                My first comment was “He is a bit nuts…” But keep thinking its Shahid Saleem. lol I am justifying myself to a random nobody who for some deranged reasons, decided to be despicable Amir Liaquat in virtual world. Like dad, like son, eh?

                • Dr. Aamir Liaquat Hussain

                  hahahahahha whatever you say stupid, why you act like another person?
                  maybe unable to answer like people can’t in front of their dad?

                  • aazmoda

                    jugat baaz, apni oqaat par aa gya ab. Ja kar ammi ko jugatein maro, online nahi. Amir wannabe. btw, words like “stupid” and “idiot” are used by uncouth girls. gtfo could u pls ? Your nose is getting too much brown.

                    • Dr. Aamir Liaquat Hussain

                      hahaha lagta hai bardasht nahi ho raha, please let me know your address, I;m gonna send fire brigade because someone’s a** is burning like hell

                    • aamir7

                      bahi log, yahan larai mana hay… pls be friendly and constructive.

                    • Dr. Aamir Liaquat Hussain

                      janab ab log khud he start hotay hain ye jantay hue bhi kay agay Mohtram Dr. Amir Liaquat hain jo TV pay kisi ko nahi chortay.
                      otherwise I’ve never use such language

          • Shahid Saleem

            But what does that have to do with the anti spam person? Nothing.

            Now if it was some Google ***Security*** person that would be embarrassing. Bit you know what? It doesn’t seem like google security employee s use php. Now what does that tell you about php?

            As far as the attack goes, there is so much crappy php code that really a hundred new attacks will be out by April. Yawn.

        • Umer Mushtaq

          kuch jal raha hai .oh ye to jelousy ki bu aarahi hai

          • Shahid Saleem

            You are not very knowledgeable of you think php holes make me jealous. I truly despise the language. Php holes are found every month the and in terms of scale, this one is nothing.

            • Ahmed

              Well come to the point what about i found the dns side vulnerability in Motorola and reported 4 malicious vulnerabilities there , reported 1 to nokia , reprted 2 to samsung , now get jealous baby

              • Shahid Saleem

                post details and we’ll see.

      • aazmoda

        Teri baat aisi hi, degree asli ho ja ja’ali, degree hoti hi. Vulnerability bari ho ya petty, vulnerability hoti hai. I bet you cant type the word vulnerability without aid of spell checker. Just ask Google to offer you a job now as their security head hahaha :D
        We are not short of attention whores. The list just grew by one.

        • Dr. Aamir Liaquat Hussain

          hahahahahhaha
          Shahid Saleem, log out from Disqus and commented as new user.

          • aazmoda

            Do you really think that only Shahid Saleeem will laugh at this “ridicuous” achievement where a kid whose balls havent even dropped yet, is acting superior? Shows your limited knowledge and insight into such things. Things like you were applauding and cheering con men like Ammar Afzal. It does not get worse than that. Mind you, that real professionals and capable people rarely visit blogs and all that. They spend their time doing better things than engage in fights with veelay and awaara ___ like you :)

            • sultan rai

              jal jal k apna moun kala kerle bc kamenay kutay

            • Shahid Saleem

              On the contrary, professionals do visit blogs. They are just less likely to get into idiotic comment wars :):):)

      • Khurram

        Waqt say pehlay paisa oor Izzat achi nahin hoti. That’s what has happened with you Ahmed Mehtab. Look at your choice of words for someone who is much older and much experienced than you. You may not agree to someone’s views but you should atleast be humble and respectful when you disagree with someone. You might have done a great job but the way you have responded has lowered your respect and mind it, your humility is something that pays off, not your ultra super technical skills.

        • Muhammad Aamir

          Agree!

          • ahmed mehtab

            Yar ap kese insaan ho ? khudi comment kerty ho aur khudi replay kerty ho fake comments ka ? Allah apko jaza de esi achi soch rakhne ka aur rhi baat meri tu ma kuch bhi nai hun ye izaat Allah ki ata kerda ha aur wo jisey chaye de aur jisey chaye na de

            • Muhammad Aamir

              No Brother!! I did’t write the above comment that you’re mentioning. If a person write such a comment, I’ll never like and comment he knows people can easily identify. If you see the time of my liking and comment you will feel the differnce then why I didn’t comment the comment at the same time. I swear I didn’t write the above comment. If you’re doubting, please trace the IP address of the above comment and my comment. Perhaps! @aamir7:disqus can help! He knows myself best, he knows how my English level is etc. Again, if you hurt due to my response “Agree”, I’m really really Sorry!

              • ahmed

                sorry ma upar waly ko cmnet ker rha tha

  • Ahsan Zafar

    Really appreciate you

    • Ahmed Mehtab

      Thankyou big b :)

      • drag0nslayer

        aaala bOy (:

        • ahmed

          :)

  • Umar Khan

    Aala oye!

    • Ahmed

      :) <3

  • waleed khan

    Yoo ! Proud to be your friend <3

  • Umer Mushtaq

    Congratulations brother stay blessed always.

  • Malik Hamza Bahu

    Congratulations Ahmed #PakistanZindabad :)

  • Jimmy Haxor

    Wah Wah Jani…. Kiya Baat Hai Teri…. ;) Humen to pehle he yaqeen tha lekin opposition wale thore pange kr rhy thy….. :D

    Muhammad Ahmed aka Sniper Haxor

  • brilliant

  • Haider Qureshi

    A news for FPD in a wordpress plugin, come on my man seriously, Pakistani’s are doing a lot good in bug hunting you never post those news items that actually deserve to be here. :/

    • Shahid Saleem

      In fact I am very surprised there is still no story or warning about Lenovo laptops on this blog. How can anyone miss such a huge story of this week???

      • Haider Qureshi

        Maybe thats because, that news is not related to Pak, but yes thats a big news too, but this post here is totally a joke. A lot of Pakistani Security researchers have done and are doing big things. Its unfortunate that they dont get a news. a news about FPD on a wordpress plugin is slap to Pakistani information Security community.

  • Waqas Rabbani

    hahahhahahahh Amir sahab i am using adblock so no money from me , sirf mufta

    • Shahid Saleem

      have better solution for you, ublock for Chrome or Firefox

      works same as adblock, even uses same lists, and block syntax
      but uses A LOT LESS MEMORY AND CPU

    • aamir7

      Par masla yeh hay k Rizq Allah nay daina hay app nay nahi :-)

      • Muhammad Aamir

        I was also using Adblock, but when I saw this comment, I unblocked Adblock for Propakistan forever. Sorry! If you hurt!

        • aamir7

          LOL, that’s nice of you :-)

  • usman

    i dont find 17feb tweet related to ahmed. lol no words for you guys.

    • Shahid Saleem

      scroll to the top and select “tweets and replies”. it is a reply so it shows in a different page.

  • Shahid

    You do not need to fight over this. What is going on below is idiotic from both sides of the arguing people first of all yes php is a very poor language and word press is full of bugs and yes Ahmed mehtab did not uncover this vulnerability first of, it is a known problem in some old versions of Word press and PHP (and it is known from quite sometime) . Read this article https://www.owasp.org/index.php/Full_Path_Disclosure for info. But again this does not mean that Ahmed mehtab did not achieve anything his achievement is worth mentioning and worth a page of any tech news site and i am proud of my fellow brother and Pakistani Ahmed mehtab keep it up brother and work hard. When a person uncovers a vulnerability that is not known in such a widely used software like word press he becomes worldly famous and i see the talent in Ahmed mehtab to achieve that too because at this age and this just wow man. To round up my tiny article what Ahmed mehtab did actually and clearly in this particular case ? It is that he discovered that a particular blog has that known vulnerability why ??? because that blog or the hosting server which was hosting the blog was using an old version of PHP/wordpress. Now this does not take anything away from Ahmed mehtab because it needs self study hard work and research to find known vulnerabilities in sites (sadly in Pakistan we know our education level alas) ,yes it takes only a program and some scripts you will need to learn and run against your target but no one will teach you that stuff and information about that stuff is scattered and incomplete on the internet .This is the one of the most difficult info to find among any thing you will search on the www. So kudos to Ahmed mehtab ,he is a talented kid and this should be appreciated.

    • Shahid Saleem

      Look! I found out that “+” can be used to add things! Like 3+5 = 8! Wow! Now give me international recognition too!!!!