All about Mobile, Web, Technology, Politics, Security, E-Commerce and Living in the Philippines.

Thursday, February 26, 2009

I Will Hack Food - J0L1BU6 G0t H4X0R3D! (Jollibee got hacked)

I got home early today so I could attend the meeting tomorrow and as usual I got bored... and when I get bored something phun gets posted here. Hehe.

So I recently found out about this promo-game in Facebook called "Jollibee Sulit Sarap Challenge" wherein the top scorer for the week gets a P500 Gift Certificate from Jollibee (fastfood)... and it just hits me. I will hack for food! LOL

So I visited the application page and added it to my Facebook account then figured out the kung-fu behind it. As it turns out, its so bloody easy to hack -- less than a minute!

FireShot capture #1 - 'Facebook I Jollibee Sulit Sarap Challenge' - apps_facebook_com_jollibeegameapp_topScorers_php

OK First of all this is just harmless fun, I did not break any security scheme doing this.

Now I feel like a lowly script kiddy for doing this and its LAME so I won't even bother to redeem my hacked fast food. LOL.

But seriously, the guys who pitched this to Jollibee clearly wasn't thinking straight.

Guys IF I were seriously going to P4wN you I could have made my score just always above the rest and not put 73337 as a score. So take this as a free advice and better pull that game out until you fix the boboo -- but better make its good because IF I get bored again, I will come back and play to see IF you have learned the kung-fu.

Neo: I know kung fu.
Morpheus: [eyeing him, hand on chin] Show me.


UPDATE 2/26 - 1:33 PM

I got an email from the devs:

FROM: Jay Anthony Chiu

Good morning Mr. Filomeno!

We've read about your blog about the Jollibee Hack (link:, and we appreciate your concern. We actually have seen this when we had our internal tester hack into it, and we are currently working on a resolution for this.

But for the meantime, I hope you would be able to put down your blog entry about this matter.

We hope for your cooperation.


Take it down? Seriously its too late, here is my reply:

Hi Jay,

Is teamyehey = Yehey!?

I didn't realize that and would have contacted you guys straight regarding the matter, i guess i was too sleepy at 4AM in the morning to dig more about it. I could take down the post but its aggregated to 2 dozen other splogs and bots out there and it wouldn't make a difference anymore by this time. As you guys work with SEO you do realize that when the source link is taken out the, aggregating site takes the highest authority on the subject thus updates (when you guys fixed it) to the original article wont be reciprocated anymore. Such that searches to "Jollibee Hack" would show the aggregating sites as top result and not the original post with updates with the fix .

Anyway I have made sure not to disclose the exploit vector on the post and only that its possible and its just easy for my level.

Finally, im sure it would only take 15-30 mins to fix the exploit vector, let me give you guys tips.

1. Never trust user input - hash the submitted data so that if tampered the hash will invalidate it. A hash with salt plus arbitrary padding data makes it almost impossible to figure out and crack the hash.

2. Use AMF - its a native Flash communication transport, by itself its not very effective but will protect the data from prying eyes like proxies.

3. Encrypt the entire data sent - SHA1 will be good enough and very simple to implement.

Did I make sense on the reply? What do you think guys? Will a take down really help fix it or just hide the fact that it has problems without giving users warning that the system is being gamed. Surely I'm not a hypocrite enough to say I'm the only one who can do this. Send feed backs on the comment and I'll decide later this day if take a down is necessary.

Finally, my hi-score has already been taken out from the database (thank God), but I do hope they really fix it soon coz I'm getting hungry :D

Thursday, February 19, 2009

Fix for Elastix on VirtualBox for Windows with SIP Having No Sound

Recently I installed Elastix VOIP server which is an Asterisk + CentOs linux distribution specially made for VOIP. Now, as if running VOIP isn’t enough of a challenge, I’m forced to install this on a Windows 2003 RC2 Server because we don’t have a spare box – It’s OK since the machine is an IBM Blade server with a very high spec.

The installation is pretty straightforward; just install VirtualBox, create a 10Gig virtual-disk and allocate around 1Gig RAM which is good for the 4 PSTN lines we have. The server has 2 gigabit NICs with static IPs so I assigned one to VirtualBox and named it Virtualization. Next, boot the virtual disk up with the Elastix ISO mounted and proceed with the installation.

Now after all the installation is completed, I tested SIP calls using Zoiper soft-phone and guess what – NO FUCKING SOUND!

So I fiddled with sip.conf, sip_nat.conf and sip_additional.conf which are the usual suspects when SIP goes awry. However this didn’t solve my problems!

Now there is only one way to solve this, TAKE A CIGARETTE BREAK :))

So after the puffs, I came back from the smoking lounge and did a network-engineer’s worst nightmare:

Configured Windows’ network card assigned to VirtualBox named Virtualization to disabled everything except “VirtualBox Host Interface Networking Driver”. This should not work right? The NIC must have an IP either via DHCP or Static configuration for it to work. Right?

Well, you’re wrong!


After doing this SIP works flawlessly!

So there you go, I just saved you months of tearing out your hair, crying without sleep and spending hours and hours wasting your time in Google search!

Monday, February 16, 2009

The heat is on: The Google Summer of Code 2009

Thanks to Adriano Monteiro Marques for the video!

This year I’m going to be mentoring under the Drupal organization again for the second time since last-year’s project Embed Widgets module was a great success. So we would like to invite students to participate again this year too for another awesome SoC.

Friday, February 13, 2009

uLink ups the ante for free SMS


Miguel sent me this buzz regarding uLink with a tag-line “Be unique with uLink”. It turns out to be site for sending Free SMS to Philippine networks! Yes bring free SMS more.


On Join Mobile Freedom

According to the review from, the service is totally free but with an inclusion of advertising link from uLink. To quote:

“The only con that I can think about this Free Philippine SMS Service is that the message that your friend receives is quiet long, containing advertisement from uLink, but, hey, it’s better than paying for a simple text, am I right? And besides, the advertisement that is included in the text you send is for the promotion of their website and probably to get the Free SMS Service better as the demand grows.”

Hey its FREE, I don’t careless if you add up the entire news paper front page.

On Protecting Your Freedom to Communicate.

What does this mean? Dear telco, your monopoly for control on communication is dwindling. Evolve or be left behind. What I’m trying to point out is; telcos should be agnostic and neutral just like how internet ISP works which only provides the means of communication but does not control the content. Some might react - “are you serious? How about spam and scams?”

Hell, let NTC do the policing because they don’t do anything useful anyway! Spams and Scams are natural path of evolution, just like when Internet started there was a lot of scams and spams (the entire dot net boom was a scam if you ask me). However people learn and there’s not much spam and scams floating on the net compared before.

So its your choice; let telcos say what’s good for you and stay ignorant or be free to create what’s good!

Note: Again people, this is not a service endorsement, I don’t work anymore in telecoms nor this is related to my current work. Just read the disclosure below already!

Friday, February 06, 2009

Stupidest application in Facebook: My College Friends

WARNING: This app poses as a Friend Invite, the name and description was crafted to confuse the user unless you check the application page.

See the screen shot I've annotated using FireShot, it explains everything.

FireShot capture #2 - Facebook My College Friends

Related Links