So our public transportation company started to sell tickets online with their brand new fancy​ system.

• You can buy tickets and passes for the price you want
• Passwords are in plaintext
• Communication is through HTTP
• Login state are checked before the password match so you can basically view who is online
• Email password reminders security code can be read from servers response

Oh and I almost forgot admin credentials are FUCKING admin/admin

Who in the fucking name of all gods can commit such idiocracy with a system that would be used by almost millions of people. I hope you will burn in programming hell. Or even worse...

I'm glad I'm having a car and don't have to use that security black hole.

fucking hostgator!

go suck a cock you developers!

everything from their payment system to their support is crap.

a few days ago, i purchased a website from hostgator, with a year of hosting during black friday weekend. i had obtained a black friday coupon code that entitled me to roughly $160 off its usual price. that said, i filled out the registration form and clicked the 'checkout' button.

right after i clicked it, i saw i forgot to put in the coupon code, and pressed the back button on my browser. then i put in the code and proceeded with checkout.

guess what?

those MOTHERFUCKING GREEDY ASS BITCHES charged me TWICE, one with the coupon and one without.

i contacted customer support and told them what happened after waiting about double the time i was supposed to be connected to support.

of course, they asked for my fucking "security" pin over the customer support live chat (totally not ironic).

they sent a confirmation email, and cancelled the payment without the coupon.

then ONE FUCKING DAY LATER, I tried to connect to my website.

MY SITE WAS FUCKING SUSPENDED.

die in a hole.

i contacted customer support once more, and after explaining the story, I had to wait four to eight hours.

i'll see how it turns out tomorrow.

die in a hole hostgator🖕

Just found the most embarrassing security hole. Basically a skelleton key to millions of user data. Names, email addresses, zip codes, orders. If the email indicates a birthdate, even more shit if you chain another vector. Basically an order id / hash pair that should allow users to enter data AND SHOULD ONLY AUTHORIZE THEM TO THE SITE FOR ENTRING DATA. Well, what happend was that a non mathing hash/id pair will not provide an aith token bit it will create a session linked to that order.

Long story short, call url 1 enter the foreign ID, get an error, access order overview site, profit. Obviously a big fucking problem and I still had to run directly to our CEO to get it prioritized because product management thought a style update would be more important.

Oh, and of course the IDs are counted upwards. Making them random would be too unfair towards the poor black hats out there.