|
Powaqoatse posted:some danish developer noticed that his daycare had a form where you could look up anyone by their ss# & it had no ratelimiting, so you could pretty much enumerate the entire search space & get all valid #s + name + address (only 36,500,000 possibles). Family Guy has previously told TV2 that he wrote his girlfriend's social security number, after which the IT system came up with her name.
|
#
?
Jun 23, 2017 17:47
|
|
|
|
| # ? May 21, 2024 02:49 |
|
|
Powaqoatse posted:some danish developer noticed that his daycare had a form where you could look up anyone by their ss# & it had no ratelimiting, so you could pretty much enumerate the entire search space & get all valid #s + name + address (only 36,500,000 possibles). besides, someone is going to be really loving dead over the eu pii laws
|
|
#
?
Jun 23, 2017 17:48
|
|
|
cinci zoo sniper posted:thankfully it is a scandinavian court so there might be someone familiar with modernity on the other end, presuming that disclosure happened after the vuln got fixed, or it was partial when vendor said "wontfix" this. there is no loving way they win that lawsuit. they are deep in the wrong, and liable, when they disclose personal info like that
|
|
#
?
Jun 23, 2017 17:54
|
|
|
anthonypants posted:On the IT solution is a field where using social security number can beat his partner up. lmao ps:  google. "slå op" means "look up", not "beat"
|
|
#
?
Jun 23, 2017 17:54
|
|
|
he contacted media the day following the disclosure. he contacted the municipality that runs the daycare, who said they would pass on the info to the vendor. no word on what the vendor said. it also mentions he works for a competing vendor, so that muddies it a bit
|
|
#
?
Jun 23, 2017 17:57
|
|
|
but yeah, vendor KMD hosed up big time with that lookup form.
|
|
#
?
Jun 23, 2017 18:00
|
|
|
Powaqoatse posted:he contacted media the day following the disclosure. he contacted the municipality that runs the daycare, who said they would pass on the info to the vendor. no word on what the vendor said. dude might be in for a rough ride then
|
|
#
?
Jun 23, 2017 18:01
|
|
|
So to clarify, the daycare form, queried the gov database of identity numbers, and therefore you could enumerate the entire search space of all issued (past/present) identity numbers? I'm presuming that is what happened as it mentions he checked using his girlfriend's number and I sure hope she wasn't listed in the daycare's database... That's some secfuck
|
|
#
?
Jun 23, 2017 18:19
|
|
|
SeaborneClink posted:So to clarify, the daycare form, queried the gov database of identity numbers, and therefore you could enumerate the entire search space of all issued (past/present) identity numbers? I'm presuming that is what happened as it mentions he checked using his girlfriend's number and I sure hope she wasn't listed in the daycare's database... yeah, euronumbers often follow some kind of predefined pattern, so you can generated them in bulk (and also they are mostly worthless for id fraud)
|
|
#
?
Jun 23, 2017 18:27
|
|
|
CPR numbers are of the form yyyyymmdd-cccc date is birthday obv checksum is even for women, uneven for men (can be changed as part of legal gender reassignment). a number by itself is worthless (checksum algo is public so theyre easy to generate by yourself). number + matching name & address has previously been used to do some basic identity theft (i think step #1 was redirecting mail) and step piecemeal up to bank accounts and drivers licenses, but i have no idea if thats possible anymore. dont think it is.. all public services are now online & use cpr# + password + physical otp unless you get a deferment because youre too old to computer Carthag Tuek fucked around with this message at 18:44 on Jun 23, 2017 |
|
#
?
Jun 23, 2017 18:40
|
|
|
it's that time again, https://twitter.com/taviso/status/878314575149506561 also microsoft's fix broke his linux wrapper, lol
|
|
#
?
Jun 23, 2017 19:14
|
|
|
itt: itt (it's tavis time)
|
|
#
?
Jun 23, 2017 19:26
|
|
|
if tavis stood under Niagara falls he would probably solve p/np
|
|
#
?
Jun 23, 2017 19:31
|
|
|
Security Fuckup Megathread - v13.70: Tavis does Redmond.
|
|
#
?
Jun 23, 2017 19:37
|
|
|
Lutha Mahtin posted:if tavis stood under Niagara falls he would probably solve p/np
|
|
#
?
Jun 23, 2017 19:37
|
|
|
https://twitter.com/taviso/status/878317891984048129 aces
|
|
#
?
Jun 23, 2017 19:37
|
|
|
has anyone said tavis ownmandy yet?
|
|
#
?
Jun 23, 2017 19:55
|
|
|
http://i.imgur.com/k5lcM8D.mp4
|
|
#
?
Jun 23, 2017 20:22
|
|
|
antivirus-turnstile.gif
|
|
#
?
Jun 23, 2017 20:57
|
|
|
ok thats just beautiful
|
|
#
?
Jun 23, 2017 20:58
|
|
|
Powaqoatse posted:he contacted media the day following the disclosure. he contacted the municipality that runs the daycare, who said they would pass on the info to the vendor. no word on what the vendor said. he contacted media the day after, but the story wasn't published until 14+ days later after no word from the vendor or municipality and then when the tv station contacted the vendor, they (the vendor) called up his boss to say "hey your guy is hacking us!"
|
|
#
?
Jun 23, 2017 20:59
|
|
|
cinci zoo sniper posted:no suicide requests in yospos it was a joke about how he once realized the solution to something while he was in the shower
|
|
#
?
Jun 23, 2017 21:08
|
|
|
Lutha Mahtin posted:it was a joke about how he once realized the solution to something while he was in the shower
|
|
#
?
Jun 23, 2017 21:38
|
|
|
if tavis ever wants to break into your house he'll just stand outside and blast himself with the garden hose for a few minutes before teleporting into your living room
|
|
#
?
Jun 23, 2017 21:51
|
|
|
NFX posted:he contacted media the day after, but the story wasn't published until 14+ days later after no word from the vendor or municipality yea its a mess but imo he shouldnt have talked to anybody but the vendor & given them a chance to fix it. only then talked to the media if they didnt give a poo poo responsible disclosure yo
|
|
#
?
Jun 23, 2017 22:19
|
|
|
responsible disclosure is so boring
|
|
#
?
Jun 23, 2017 22:21
|
|
|
CRIP EATIN BREAD posted:responsible disclosure is so boring
|
|
#
?
Jun 23, 2017 22:25
|
|
|
so i've just discovered while transitioning services for a client, that the all-in-one (industry targeted) MSP they were using has their "Zoolz" cloud backup service tied to an employee email address. the same address is used for multiple customers you can browse and restore from the other customers data these customers have massive amounts of PII including medical information for their members i don't even know where to start with this one
|
|
#
?
Jun 23, 2017 22:28
|
|
|
oh shiiiiiiiiit https://www.theregister.co.uk/AMP/2017/06/23/windows_10_leak/ 32TB of Windows 10 internal builds, core source code leak online
|
|
#
?
Jun 23, 2017 22:31
|
|
|
infernal machines posted:so i've just discovered while transitioning services for a client, that the all-in-one (industry targeted) MSP they were using has their "Zoolz" cloud backup service tied to an employee email address. is it a government thing?
|
|
#
?
Jun 23, 2017 22:32
|
|
|
BangersInMyKnickers posted:oh shiiiiiiiiit wooo zero-days for decades
|
|
#
?
Jun 23, 2017 22:34
|
|
|
BangersInMyKnickers posted:oh shiiiiiiiiit 
|
|
#
?
Jun 23, 2017 22:36
|
|
|
BangersInMyKnickers posted:oh shiiiiiiiiit oh boy. now that's a secfuck
|
|
#
?
Jun 23, 2017 22:36
|
|
|
BangersInMyKnickers posted:oh shiiiiiiiiit блять
|
|
#
?
Jun 23, 2017 22:37
|
|
|
CRIP EATIN BREAD posted:is it a government thing? the MSP offers services specifically to unions, so some of the people exposed are likely government employees, but they don't to my knowledge provide services directly to the government i'm setting up a meeting with my client to discuss their exposure, then i guess i'm contacting the privacy commissioner
|
|
#
?
Jun 23, 2017 22:38
|
|
|
I fully support Microsoft's commitment to opensource
|
|
#
?
Jun 23, 2017 22:39
|
|
|
where's shaggar
|
|
#
?
Jun 23, 2017 22:46
|
|
|
I wonder how much noxious poo poo they're going to find buried in that MS code, good stuff.
|
|
#
?
Jun 23, 2017 22:48
|
|
|
oopsy daisies.
|
|
#
?
Jun 23, 2017 22:50
|
|
|
|
| # ? May 21, 2024 02:49 |
|
|
all the source code leaks for previous windows versions were riddled with profanity
|
|
#
?
Jun 23, 2017 22:52
|
|