科技回声

10 条评论

ngonch大约 2 个月前

Australia and New Zealand are insanely careless with personal data. I was shocked when I was asked to write my credit card details, including cvv, on a piece of paper in a beachside surfboard rental shop

评论 #43499502 未加载

评论 #43499386 未加载

评论 #43499230 未加载

评论 #43517826 未加载

评论 #43503175 未加载

评论 #43500732 未加载

评论 #43499893 未加载

评论 #43500629 未加载

评论 #43500678 未加载

girvo大约 2 个月前

That reminds me of all the SQL injection vulns that we used to blame on PHP. As PHP becomes less popular, and the same/similar vulnerabilities remain, I realise it's more just bad practices (though ~2000-early 2010s PHP really was pretty rough when it came to creating those holes, but that might just be a function of how popular it was!)<p>Nice work on finding it :)

评论 #43499813 未加载

taitems大约 2 个月前

At least they cared. I found an enumeration attack on an Australian referral service where phone numbers were keys and it returned way too much personal information. Responsibly disclosed numerous times, LinkedIn contacted employees. Not even acknowledged and at last check, still open vulnerability.

评论 #43503154 未加载

评论 #43501993 未加载

pjsg大约 2 个月前

Does this api allow me to enumerate the users (by phone number) using the service? That would seem to be bad as well. I. guess that it depends on what their fix was.<p>If this really was the first api request made by the app, and it has a serious vulnerability, then the omens are not great for the rest of the api calls either.

hsbauauvhabzb大约 2 个月前

Be super careful with this, you had innocent intent, but that doesn’t mitigate the fact that you potentially broke the law (and regardless of whether you did or not, that won’t stop feds busting in the door). Some places will take reports like that gratefully, others will do everything in their power to make you out to be the bad guy.

评论 #43499133 未加载

评论 #43499112 未加载

评论 #43501882 未加载

protocolture大约 2 个月前

Honestly cool to see a story like this where the punchline isnt "They never fixed the bug" or "They sent goons after me".

davesmylie大约 2 个月前

Hmm. Notably Farmers NZ recently had an extended unplanned outage, and has a 4 star app

评论 #43499641 未加载

评论 #43500285 未加载

dylan604大约 2 个月前

by default, make the thing return a 400 Invalid Request for any request that did not fit exactly what you are expecting. That at least lets you focus on ensuring the data that you are expecting is sane/valid/safe. Undocumented features will eventually bite you, and are loaded footguns, especially if your QA team doesn't know about the undocumented features.

sitzkrieg大约 2 个月前

to think someone thought that api was a good idea and got all the way to deploying it, yikes

efilife大约 2 个月前

Were you paid? I hope yes

10 条评论

ngonch大约 2 个月前

评论 #43499502 未加载

评论 #43499386 未加载

评论 #43499230 未加载

评论 #43517826 未加载

评论 #43503175 未加载

评论 #43500732 未加载

评论 #43499893 未加载

评论 #43500629 未加载

评论 #43500678 未加载

girvo大约 2 个月前

评论 #43499813 未加载

taitems大约 2 个月前

评论 #43503154 未加载

评论 #43501993 未加载

pjsg大约 2 个月前

hsbauauvhabzb大约 2 个月前

评论 #43499133 未加载

评论 #43499112 未加载

评论 #43501882 未加载

protocolture大约 2 个月前

Honestly cool to see a story like this where the punchline isnt "They never fixed the bug" or "They sent goons after me".

davesmylie大约 2 个月前

Hmm. Notably Farmers NZ recently had an extended unplanned outage, and has a 4 star app

评论 #43499641 未加载

评论 #43500285 未加载

dylan604大约 2 个月前

sitzkrieg大约 2 个月前

to think someone thought that api was a good idea and got all the way to deploying it, yikes

efilife大约 2 个月前

Were you paid? I hope yes

How I pwned a major New Zealand service provider

10 条评论

How I pwned a major New Zealand service provider

10 条评论