Found a security hole....

A fast food delivery service had an ID for every order it Said
"example.com/order/9237" - i go 9236... finds another persons order, address, and phone number

So What should i do?

i thought of making a crawler and then make statistics on everyones orders and send Them a link πŸ˜‚

  • 42
    You should alert them, but don't forget to ask your free meal :D
  • 24
    Im a really shit coder, coming from a graphic design background, and even I wouldn't do such a basic fuckwit error like that. Hope credit cards weren't naked.
  • 36
    @helloworld love me some naked credit cards, really turns me on
  • 22
    The white hat, black hat choice.
  • 4
    @helloworld only the last 4, But it also contains comments on food and e-mail so i could write a code to see who likes more onion or non πŸ”₯😎✌️and send Them an e-mail to answer more questions on their food choice
  • 32
    Had a similar thing in Norway. Third largest grocery store chain here launched an app. The app called an online rest api listing all your purchases, discounts etc etc. Some guy sniffed the app, and called the endpoint. 0 authentication, so the guy goes over 10-15 customers, grabs the data, sends it to the retail chain and tells em to fix it. When he goes public (after they fixed it) they excuse themselves by saying what he did was illegal (it wasnt) and the api didnt reveal personal data (it did).

  • 3
    crawl it, then send them an email.

    you'll feel good when you go though those data in few years, trust me
  • 4
    make an automated system, whenever a new order appears, your system also orders from another restaurant with those credentials
  • 1
    @sp90 I can sense a strong presence of the dark side in you my friend! Hope you are never caught!
  • 25
    Do not tell them the bug. Let them know you found a serious security flaw, and ask for a bug bounty.

    Companies have a choice: spend more money on QA, or less on QA, and hope people find their flaws. You found it. Now get paid.

    If they say no to a bug bounty, just sell it to some Russians.
  • 6
    @Christine Something tells me that you are an all or nothing kind of a girl!
  • 9
    @codeRetard I'm just fucking jaded.
  • 3
    @Christine Yes you are! I still remember the previous few times our paths crossed!
  • 0
    Why should a food store even give a fuck to the security of their customers data? Sorry to say, I don't think you're gonna get a free pizza for telling them that their website sucks.
  • 1
    @fasttime its not a food store, its a website where u order and then they deliver the food from any of their partner restaurants :)
  • 0
    @Christine Probably they just ordered a website at some agency and have no idea about security or what a bug bounty is...
  • 3
    @pascalwacker Presumably the website has a "website made by X" in the footer. So X would probably be the people to contact (along with the restaurant, to let them know their website is unsecured, so they can pressure X to fix it)
  • 1
  • 4
    Even with a masked credit card that's dangerous. You should alert them. Consider this...

    Iterate the number until it fails, then take the top number. Send them an email saying did you mean to order this with acacado? Also, your credit card didnt go through. I'll need the number again. Please call us at *your phone number*.

    That could be a pretty bad scenario.
  • 1
    Bounty. If they say no, sell the data.

    If you find the competitors you can sell the data pretty good.

    Good luck, life is too short to be a white hat. I preffer the gray :)
Add Comment