Forwarded from BlackBox (Security) Archiv
Who reports the “low hanging fruit” security issues?
Some time ago, I came across this article on Hacker News. I recommend you read the whole thing. But in short: A social media site for woman called “Giggle” used an API that pretty much exposed every users data, if you did so much as to request it. This is called an IDOR vulnerability.
The “barrier of entry” is very low here. Installing BurpSuite might have actually been the hardest part of it all.
I always found these types of “hacks” the most interesting. Mostly because they don’t require any experience in offensive security. You don’t need to be an professional pentester to know basic API debugging. Even I could do something like this! In fact, I still sometimes hack myself into leaderboards of browser games like this one.
These kind of “easy to pick” targets are often referred to as “low hanging fruit”. There is no complicated setup or mentionable work required to just grab an apple from a low hanging branch. Same thing was true for hacking Giggle.
And these types of incidents are all but rare. Just search the web for “unsecured elasticsearch instance”. Also, it doesn’t just affect userdata neither. There have been IDOR issues on car control systems. One could literally stop, lock and unlock cars thanks to a certain API endpoint that required no authentication.
👀 👉🏼 https://palone.blog/#post-who-reports-the-low-hanging-fruit-security-issues-158
#palone #blog #security #issues #IDOR
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Some time ago, I came across this article on Hacker News. I recommend you read the whole thing. But in short: A social media site for woman called “Giggle” used an API that pretty much exposed every users data, if you did so much as to request it. This is called an IDOR vulnerability.
The “barrier of entry” is very low here. Installing BurpSuite might have actually been the hardest part of it all.
I always found these types of “hacks” the most interesting. Mostly because they don’t require any experience in offensive security. You don’t need to be an professional pentester to know basic API debugging. Even I could do something like this! In fact, I still sometimes hack myself into leaderboards of browser games like this one.
These kind of “easy to pick” targets are often referred to as “low hanging fruit”. There is no complicated setup or mentionable work required to just grab an apple from a low hanging branch. Same thing was true for hacking Giggle.
And these types of incidents are all but rare. Just search the web for “unsecured elasticsearch instance”. Also, it doesn’t just affect userdata neither. There have been IDOR issues on car control systems. One could literally stop, lock and unlock cars thanks to a certain API endpoint that required no authentication.
👀 👉🏼 https://palone.blog/#post-who-reports-the-low-hanging-fruit-security-issues-158
#palone #blog #security #issues #IDOR
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag