Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicIs it worth reporting to a retail website that their website spin to win competition has a huge security risk?
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
cddt
1965 posts

Uber Geek
+1 received by user: 1904


  #3154987 2-Nov-2023 15:44
Send private message

turtleattacks:

 

Would love to know the definition of hacking though. Would querying their APIs with a variation of IDs (in payload) be considered hacking? 

 

 

As I mentioned in a post above, people have gone to prison for doing exactly this. 

 

It happened in the USA, so jurisdiction is different, and it seems to have also required a combination of vindictive management, an overzealous and tech illiterate prosecutor, and an antagonistic defendent. 

 

But for me it's enough warning to tread carefully. 



djtOtago
1181 posts

Uber Geek
+1 received by user: 605


  #3154992 2-Nov-2023 15:48
Send private message

Querying the API with variation of IDs to gain access to information you wouldn't normally have access to.

 

That looks like you had intent to gain access to said information without authorisation to do so.

 

HACKER 👨‍💻

muppet
2642 posts

Uber Geek
+1 received by user: 1660

Trusted

  #3154994 2-Nov-2023 16:08
Send private message

A very sensible resolution here, well done.

 

 

If it was me I'd have collected every bit of information and extorted the bollocks out of them for personal gain and profit.

 

 

Each to their own I guess?



turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

  #3154995 2-Nov-2023 16:11
Send private message

muppet: A very sensible resolution here, well done. If it was me I'd have collected every bit of information and extorted the bollocks out of them for personal gain and profit. Each to their own I guess?

 

Their API gateway was super fast and responsive too. 

 

Could have done it in seconds. 

 

No replies from them for reporting the hole though, and I emailed like 5 of their staff, including their privacy officer and also created a ticket in their help page. The ticket was closed without comments within an hour or so. 

At least they replied to @michaelmurfy

 

 

 

 




----

 

Creator of whatsthesalary.com and whatstheincometax.com

SepticSceptic
2263 posts

Uber Geek
+1 received by user: 779

Trusted

  #3155195 2-Nov-2023 23:24
Send private message

Noticed any helicopters circling about recently?

Any over sized SUVs with dark tinted windows down the road?

Accosted by a pretty woman with a slight foreign accent?

;-)

Kyanar
4089 posts

Uber Geek
+1 received by user: 1684

ID Verified
Trusted

  #3155198 2-Nov-2023 23:42
Send private message

Waaaay back in the day, Hell Pizza had a vulnerability where you could throw arbitrary SQL at their API and it would hand you the results. The papers tried to present it as something bad hackers would do, I reached out to the paper describing how it was actually so weak security and just how easy it was (without touching any data but my own). A director of Hell Pizza responded accusing me of being a criminal.

 

You cannot trust NZ media on this topic. They do not understand the difference between white and black hats.

 
 
 
 

Shop on-line at New World now for your groceries (affiliate link).
freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3155201 3-Nov-2023 00:03
Send private message

@Kyanar:

 

Waaaay back in the day, Hell Pizza had a vulnerability where you could throw arbitrary SQL at their API and it would hand you the results. The papers tried to present it as something bad hackers would do, I reached out to the paper describing how it was actually so weak security and just how easy it was (without touching any data but my own). A director of Hell Pizza responded accusing me of being a criminal.

 

 

This thread. Someone mentioned receiving spam on an email address used only at Hell Pizza. After lots of discussion, the conclusion was that they had a Flash-based website and the whole logic ran on the client application, with a direct-to-SQL interface. Basically, their server would just respond to any SQL query.

 

This was 14 years ago now.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

jnimmo
1098 posts

Uber Geek
+1 received by user: 255


  #3155207 3-Nov-2023 06:36
Send private message

In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.

xpd

xpd
Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #3155213 3-Nov-2023 07:43
Send private message

A lot NZ companies/institutes just don't have people that understand the risks associated to bad practices and who to pass notifications onto.

 

Many years ago, IHUG offered "free" national data on their Ultra satellite service, but capped the international. So what was a young geek to do.... except find an open NZ based proxy and use that to do international file transfers etc.

 

Came across one which was responding nice and fast (keep in mind I was on an IHUG Ultra setup), NZ based IP - used it for a night then I decided to poke it and see what I could find out about it. Turns out it was a Xtra/Telecom ADSL connection (Expensive and fast at the time).

 

Found it was a school somewhere down the line. I emailed them and advised that they had an open proxy and they might want to get that locked down (data costs on that line wouldve been nuts). No response.

 

Week later it was still open. Emailed them again. No response. 

 

Month later it was still open, and I found it was now listed on an international open proxy website......... so who knows who was using it in the end and how much it cost the school.

 

 




XPD / Gavin

 

LinkTree

 

 

 

Behodar
11094 posts

Uber Geek
+1 received by user: 6071

Trusted
Lifetime subscriber

  #3155281 3-Nov-2023 10:09
Send private message

SepticSceptic: Noticed any helicopters circling about recently?

 

https://whatisthepolicehelicopterdoing.co.nz/

cddt
1965 posts

Uber Geek
+1 received by user: 1904


  #3156638 6-Nov-2023 11:55
Send private message

xpd:

 

Month later it was still open, and I found it was now listed on an international open proxy website......... so who knows who was using it in the end and how much it cost the school.

 

 

You mean, how much it cost the NZ taxpayer... 

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).
turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

  #3188471 30-Jan-2024 16:08
Send private message

jnimmo: In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.

 

Just picking this up again - what's a reasonable time to expect a reply in a timely matter? 

 

Would 24 hours after initial email be enough until a contact is made with CERT's program?

 

Edit: Not the same company. 




----

 

Creator of whatsthesalary.com and whatstheincometax.com

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3188472 30-Jan-2024 16:13
Send private message

@turtleattacks Same company?




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

  #3188473 30-Jan-2024 16:14
Send private message

michaelmurfy:

 

@turtleattacks Same company?

 

 

Negative. 




----

 

Creator of whatsthesalary.com and whatstheincometax.com

jnimmo
1098 posts

Uber Geek
+1 received by user: 255


  #3188484 30-Jan-2024 16:45
Send private message

turtleattacks:

jnimmo: In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.


Just picking this up again - what's a reasonable time to expect a reply in a timely matter? 


Would 24 hours after initial email be enough until a contact is made with CERN's program?


Edit: Not the same company. 



Sounds reasonable, it can be helpful having the notification coming from a trusted third party like CERT to get the message through!

1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright