27 comments

[ 3.3 ms ] story [ 39.4 ms ] thread
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
well at least it was a password hash :D
Strange, the site is run by an Ian Carroll, but the examples show Sam Curry, who is a very famous bug bounty hunter.
That is shamefully poor security.
Just use a framework to build your site. Don’t reinvent the wheel!
Github used a framework tho.
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
(comment deleted)
Ian, it would be great to see an RSS feed on your website if you want to gain another regular reader :)
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hope you got at least free tickets for life out of this.

> For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hate this kind of post-hoc finger pointing people do after security breaches. There are other concerns in life beyond security - youre naive to think differently. Is your house secure or could somebody break past your protections? Have you harmed your defensive posture with negligence of security? Do you even care?

Rule 1.

NEVER trust user supplied data.

Once that rule was broken, any other rules broken became clear to everyone

Rule 0: Any networked computer should be considered semi-public. Don't store any information you do not want to be public, or give access to controls that you do not want to be publicly accessible, on a networked computer. There are simply too many vulnerabilities to assume otherwise.
[flagged]
missed opportunity to grant the authors a F1 super license and get the chance to actually drive one of the cars!
Imagine being a world class F1 driver and (someone) still have to upload your CV somewhere.
a couple of weeks ago Verstappen raced in a "Advanced-amateur" competition in Germany - he had to be "trained" by an official instructor in a restricted car because he hadn't raced there before

I imagine the instructor "What could I teach Verstappen now..."

responsible disclosure made you no money and even after that blogpost you still have to take the l33tcode interview
my favorite type of hacking. reading the js an modifying the PUT. Works a lot more often than you expect.
They took the website offline on the same day it was reported! That’s amazing!
(comment deleted)
HAX HAX HAX SUPERHAX HAX HAX (sorry)
In 2025 I think most of the PII is just a legal liability for 99% of the cases.

I once saw a custom service where you could connect your data, like Mixpanel or some analytics, and the whole motto was that this service did not want any of your PII data, and even the employees and companies that could access all the anonymous data had pseudonyms (e.g., a company named "Ocean's Eleven" with the employees Billy, Reuben, Rusty, Benedict, Linus, Basher, and so on).

Does someone know any architectures or designs of applications (books or references) that take anonymity as default?

Is this a case where the back end has no whitelisting of what fields are allowed to be written to for that specific endpoint?
Missed opportunity to delete Lance Stroll's license.
>The JSON HTTP response for updating our own profile contained the "roles" parameter, something that might allow us to escalate privileges if the PUT request was vulnerable to mass assignment. We began looking through the JavaScript for any logic related to this parameter.

Oh, here we go again. JavaScript brings mass assignment back. My efforts went in vein. Strong params, pls!