Is it worth reporting to a retail website that their website spin to win competition has a huge security risk?

Forums › Off topic › Is it worth reporting to a retail website that their website spin to win competition has a huge security risk?

1 | 2 | 3

1548 posts

Uber Geek

#3154987 2-Nov-2023 15:44

turtleattacks:

Would love to know the definition of hacking though. Would querying their APIs with a variation of IDs (in payload) be considered hacking?

As I mentioned in a post above, people have gone to prison for doing exactly this.

It happened in the USA, so jurisdiction is different, and it seems to have also required a combination of vindictive management, an overzealous and tech illiterate prosecutor, and an antagonistic defendent.

But for me it's enough warning to tread carefully.

djtOtago

1149 posts

Uber Geek

#3154992 2-Nov-2023 15:48

Querying the API with variation of IDs to gain access to information you wouldn't normally have access to.

That looks like you had intent to gain access to said information without authorisation to do so.

HACKER 👨‍💻

muppet

2566 posts

Uber Geek

Trusted

#3154994 2-Nov-2023 16:08

A very sensible resolution here, well done.

If it was me I'd have collected every bit of information and extorted the bollocks out of them for personal gain and profit.

Each to their own I guess?

turtleattacks

914 posts

Ultimate Geek

Trusted

#3154995 2-Nov-2023 16:11

muppet: A very sensible resolution here, well done. If it was me I'd have collected every bit of information and extorted the bollocks out of them for personal gain and profit. Each to their own I guess?

Their API gateway was super fast and responsive too.

Could have done it in seconds.

No replies from them for reporting the hole though, and I emailed like 5 of their staff, including their privacy officer and also created a ticket in their help page. The ticket was closed without comments within an hour or so.

At least they replied to @michaelmurfy

----

Creator of whatsthesalary.com

SepticSceptic

2186 posts

Uber Geek

Trusted

#3155195 2-Nov-2023 23:24

Noticed any helicopters circling about recently?

Any over sized SUVs with dark tinted windows down the road?

Accosted by a pretty woman with a slight foreign accent?

;-)

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#3155198 2-Nov-2023 23:42

Waaaay back in the day, Hell Pizza had a vulnerability where you could throw arbitrary SQL at their API and it would hand you the results. The papers tried to present it as something bad hackers would do, I reached out to the paper describing how it was actually so weak security and just how easy it was (without touching any data but my own). A director of Hell Pizza responded accusing me of being a criminal.

You cannot trust NZ media on this topic. They do not understand the difference between white and black hats.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3155201 3-Nov-2023 00:03

@Kyanar:

Waaaay back in the day, Hell Pizza had a vulnerability where you could throw arbitrary SQL at their API and it would hand you the results. The papers tried to present it as something bad hackers would do, I reached out to the paper describing how it was actually so weak security and just how easy it was (without touching any data but my own). A director of Hell Pizza responded accusing me of being a criminal.

This thread. Someone mentioned receiving spam on an email address used only at Hell Pizza. After lots of discussion, the conclusion was that they had a Flash-based website and the whole logic ran on the client application, with a direct-to-SQL interface. Basically, their server would just respond to any SQL query.

This was 14 years ago now.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

jnimmo

1097 posts

Uber Geek

#3155207 3-Nov-2023 06:36

In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#3155213 3-Nov-2023 07:43

A lot NZ companies/institutes just don't have people that understand the risks associated to bad practices and who to pass notifications onto.

Many years ago, IHUG offered "free" national data on their Ultra satellite service, but capped the international. So what was a young geek to do.... except find an open NZ based proxy and use that to do international file transfers etc.

Came across one which was responding nice and fast (keep in mind I was on an IHUG Ultra setup), NZ based IP - used it for a night then I decided to poke it and see what I could find out about it. Turns out it was a Xtra/Telecom ADSL connection (Expensive and fast at the time).

Found it was a school somewhere down the line. I emailed them and advised that they had an open proxy and they might want to get that locked down (data costs on that line wouldve been nuts). No response.

Week later it was still open. Emailed them again. No response.

Month later it was still open, and I found it was now listed on an international open proxy website......... so who knows who was using it in the end and how much it cost the school.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

Behodar

10501 posts

Uber Geek

Trusted

Lifetime subscriber

#3155281 3-Nov-2023 10:09

SepticSceptic: Noticed any helicopters circling about recently?

https://whatisthepolicehelicopterdoing.co.nz/

cddt

1548 posts

Uber Geek

#3156638 6-Nov-2023 11:55

xpd:

Month later it was still open, and I found it was now listed on an international open proxy website......... so who knows who was using it in the end and how much it cost the school.

You mean, how much it cost the NZ taxpayer...

turtleattacks

914 posts

Ultimate Geek

Trusted

#3188471 30-Jan-2024 16:08

jnimmo: In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.

Just picking this up again - what's a reasonable time to expect a reply in a timely matter?

Would 24 hours after initial email be enough until a contact is made with CERT's program?

Edit: Not the same company.

----

Creator of whatsthesalary.com

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3188472 30-Jan-2024 16:13

@turtleattacks Same company?

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

turtleattacks

914 posts

Ultimate Geek

Trusted

#3188473 30-Jan-2024 16:14

michaelmurfy:

@turtleattacks Same company?

Negative.

----

Creator of whatsthesalary.com

jnimmo

1097 posts

Uber Geek

#3188484 30-Jan-2024 16:45

turtleattacks:
jnimmo: In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.

Just picking this up again - what's a reasonable time to expect a reply in a timely matter?

Would 24 hours after initial email be enough until a contact is made with CERN's program?

Edit: Not the same company.

Sounds reasonable, it can be helpful having the notification coming from a trusted third party like CERT to get the message through!

1 | 2 | 3