Australia and New Zealand are insanely careless with personal data. I was shocked when I was asked to write my credit card details, including cvv, on a piece of paper in a beachside surfboard rental shop
That reminds me of all the SQL injection vulns that we used to blame on PHP. As PHP becomes less popular, and the same/similar vulnerabilities remain, I realise it's more just bad practices (though ~2000-early 2010s PHP really was pretty rough when it came to creating those holes, but that might just be a function of how popular it was!)<p>Nice work on finding it :)
At least they cared. I found an enumeration attack on an Australian referral service where phone numbers were keys and it returned way too much personal information. Responsibly disclosed numerous times, LinkedIn contacted employees. Not even acknowledged and at last check, still open vulnerability.
Does this api allow me to enumerate the users (by phone number) using the service? That would seem to be bad as well. I. guess that it depends on what their fix was.<p>If this really was the first api request made by the app, and it has a serious vulnerability, then the omens are not great for the rest of the api calls either.
Be super careful with this, you had innocent intent, but that doesn’t mitigate the fact that you potentially broke the law (and regardless of whether you did or not, that won’t stop feds busting in the door). Some places will take reports like that gratefully, others will do everything in their power to make you out to be the bad guy.
by default, make the thing return a 400 Invalid Request for any request that did not fit exactly what you are expecting. That at least lets you focus on ensuring the data that you are expecting is sane/valid/safe. Undocumented features will eventually bite you, and are loaded footguns, especially if your QA team doesn't know about the undocumented features.