Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Im a really shit coder, coming from a graphic design background, and even I wouldn't do such a basic fuckwit error like that. Hope credit cards weren't naked.
-
sp902188y@helloworld only the last 4, But it also contains comments on food and e-mail so i could write a code to see who likes more onion or non π₯πβοΈand send Them an e-mail to answer more questions on their food choice
-
yusijs12508yHad a similar thing in Norway. Third largest grocery store chain here launched an app. The app called an online rest api listing all your purchases, discounts etc etc. Some guy sniffed the app, and called the endpoint. 0 authentication, so the guy goes over 10-15 customers, grabs the data, sends it to the retail chain and tells em to fix it. When he goes public (after they fixed it) they excuse themselves by saying what he did was illegal (it wasnt) and the api didnt reveal personal data (it did).
Fucknuggets -
DarKneT13168ycrawl it, then send them an email.
you'll feel good when you go though those data in few years, trust me -
yugi9558ymake an automated system, whenever a new order appears, your system also orders from another restaurant with those credentials
-
@sp90 I can sense a strong presence of the dark side in you my friend! Hope you are never caught!
-
Do not tell them the bug. Let them know you found a serious security flaw, and ask for a bug bounty.
Companies have a choice: spend more money on QA, or less on QA, and hope people find their flaws. You found it. Now get paid.
If they say no to a bug bounty, just sell it to some Russians. -
@Christine Yes you are! I still remember the previous few times our paths crossed!
-
Why should a food store even give a fuck to the security of their customers data? Sorry to say, I don't think you're gonna get a free pizza for telling them that their website sucks.
-
Wack63118y@Christine Probably they just ordered a website at some agency and have no idea about security or what a bug bounty is...
-
@pascalwacker Presumably the website has a "website made by X" in the footer. So X would probably be the people to contact (along with the restaurant, to let them know their website is unsecured, so they can pressure X to fix it)
-
Even with a masked credit card that's dangerous. You should alert them. Consider this...
Iterate the number until it fails, then take the top number. Send them an email saying did you mean to order this with acacado? Also, your credit card didnt go through. I'll need the number again. Please call us at *your phone number*.
That could be a pretty bad scenario. -
curlyDev4727yBounty. If they say no, sell the data.
If you find the competitors you can sell the data pretty good.
Good luck, life is too short to be a white hat. I preffer the gray :)
Related Rants
Found a security hole....
A fast food delivery service had an ID for every order it Said
"example.com/order/9237" - i go 9236... finds another persons order, address, and phone number
So What should i do?
i thought of making a crawler and then make statistics on everyones orders and send Them a link π
undefined
trollingtime
trolling
security 101
lulz
troll
security