Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.
> For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hate this kind of post-hoc finger pointing people do after security breaches. There are other concerns in life beyond security - youre naive to think differently. Is your house secure or could somebody break past your protections? Have you harmed your defensive posture with negligence of security? Do you even care?
Rule 0: Any networked computer should be considered semi-public. Don't store any information you do not want to be public, or give access to controls that you do not want to be publicly accessible, on a networked computer. There are simply too many vulnerabilities to assume otherwise.
a couple of weeks ago Verstappen raced in a "Advanced-amateur" competition in Germany - he had to be "trained" by an official instructor in a restricted car because he hadn't raced there before
I imagine the instructor "What could I teach Verstappen now..."
In 2025 I think most of the PII is just a legal liability for 99% of the cases.
I once saw a custom service where you could connect your data, like Mixpanel or some analytics, and the whole motto was that this service did not want any of your PII data, and even the employees and companies that could access all the anonymous data had pseudonyms (e.g., a company named "Ocean's Eleven" with the employees Billy, Reuben, Rusty, Benedict, Linus, Basher, and so on).
Does someone know any architectures or designs of applications (books or references) that take anonymity as default?
>The JSON HTTP response for updating our own profile contained the "roles" parameter, something that might allow us to escalate privileges if the PUT request was vulnerable to mass assignment. We began looking through the JavaScript for any logic related to this parameter.
Oh, here we go again. JavaScript brings mass assignment back. My efforts went in vein. Strong params, pls!
27 comments
[ 3.3 ms ] story [ 39.4 ms ] threadI hope you got at least free tickets for life out of this.
I hate this kind of post-hoc finger pointing people do after security breaches. There are other concerns in life beyond security - youre naive to think differently. Is your house secure or could somebody break past your protections? Have you harmed your defensive posture with negligence of security? Do you even care?
NEVER trust user supplied data.
Once that rule was broken, any other rules broken became clear to everyone
I imagine the instructor "What could I teach Verstappen now..."
I once saw a custom service where you could connect your data, like Mixpanel or some analytics, and the whole motto was that this service did not want any of your PII data, and even the employees and companies that could access all the anonymous data had pseudonyms (e.g., a company named "Ocean's Eleven" with the employees Billy, Reuben, Rusty, Benedict, Linus, Basher, and so on).
Does someone know any architectures or designs of applications (books or references) that take anonymity as default?
Oh, here we go again. JavaScript brings mass assignment back. My efforts went in vein. Strong params, pls!