tl;dr: site used to track public password breaches allowed users to get a list of 866M credentials because of a simple parameter tampering vulnerability.
Is it really necessary to run Kali to just change a parameter in a POST request? Also the response from InfoArmor is disconcerting: "Clearly you have a special account... Oh wait s\\t no". The default position shouldn't be to fob it off as not an issue it should be "Ok, we'll look into it and try reproduce"
It's easy to think that and initially downplay this kind of thing but, in my 20+ years in this field, I've had more than one instance where I've said to someone "no, that can't happen" only to discover that it can and did happen.
Is it me or are there quite a few security related services and companies making these sorts of minor (but easily addressable) mistakes that cost them a ton?
I swear I remember quite a few sites like this getting compromised or exploited recently.
6 comments
[ 3.3 ms ] story [ 21.0 ms ] threadI swear I remember quite a few sites like this getting compromised or exploited recently.