Yahoo Fantasy Address Raider
-
http://uk.fantasytrader.yahoo.net/cgi-bin/digitalcorporate/yahoo/registration.cgi?action=edit_profile&user_id=12345
That's right - pick any user_id you want... my apologies in advance to Mr Jacob, above.
-
Oh, genius!
-
But wait, there's more! Any changes you make get saved, even though it logs you out in the process.Now somebody write a script to randomly add "fnord" to all the profiles.
-
Holy hell.
-
@Faxmachinen said:
But wait, there's more! Any changes you make get saved, even though it logs you out in the process.Now somebody write a script to randomly add "fnord" to all the profiles.Now this could be too much fun.
-
The best part is the repeated text, "This will not appear to other players" on the name lines.
Maybe not, but it appears to us!
-
Oh. my. god.
-
:|
you can't be fucking serious.
...
that's AWESOME.
-
where is a good hacker when you need it.. ;)
we can sell a lot of emails address this way :p
-
"Good" hackers don't sell email addresses. That's the job of "evil" hackers and script kiddies and such.
People who like to play with querystrings though, we just have conversations with each other in the optional lines of random people's yahoo fantasy trader profiles.
-
Just... Wow...
-
@misguided said:
"Good" hackers don't sell email addresses. That's the job of "evil" hackers and script kiddies and such.
People who like to play with querystrings though, we just have conversations with each other in the optional lines of random people's yahoo fantasy trader profiles.
Yeah. Plus, email addresses are sold for dollars a megabyte, so it's not exactly a get-rich-quick scheme.
-
@rbowes said:
Yeah. Plus, email addresses are sold for dollars a megabyte, so it's not exactly a get-rich-quick scheme.
So you just need to sell a few very long email addresses...And the real WTF is ofcourse that you know the price of email addresses ;) what buisness where you in again?
-
@Daid said:
@rbowes said:
Yeah. Plus, email addresses are sold for dollars a megabyte, so it's not exactly a get-rich-quick scheme.
So you just need to sell a few very long email addresses...And the real WTF is ofcourse that you know the price of email addresses ;) what buisness where you in again?
Haha @ long addresses. I'm a security researcher, so I sort of know what's going on on the Dark Side. By the time I find out, it's probably already outdated, though.
-
@Daid said:
@rbowes said:
Yeah. Plus, email addresses are sold for dollars a megabyte, so it's not exactly a get-rich-quick scheme.
So you just need to sell a few very long email addresses...And the real WTF is ofcourse that you know the price of email addresses ;) what buisness where you in again?
The Price of E-Mail sounds like some fucking terrible revisionist-history ABC documentary about how much Al Gore and his family had to sacrifice while inventing the internet. heh.
-
Worst security in the wild (for something serious) EVER.
-
The real WTF is that name, "Wilbledina". Seriously, WTF?
-
I....wow...this... this is like giving a pyro a can of gas and a lighter.
(I can't even pretend to have something intelligent to say about this...)
-
Ok, speak up: who entered this: x'go DROP TABLE sysobjects; --
You got one chance to tell, or I'll hack you as well :)
-
Oh wow, this is just amazing... How the hell did you find this?
*changes a man's name to "I Like Cheese" *
-
If anyone would like some guilt-free hacking, I've just created account number 16082. Feel free to bugger it up. ;-)
-
Unbefuckinglievable!
-
Going by the first few registered emails, Im guessing that digitallook.com made this site.
Check out digitallook.com the site looks like it has a perdy weak security also
-
If you were malicious, you would notice at the bottom of the Yahoo! Fantasy Trader homepage their setup is provided by a company called Digital Look Corporate Solutions who after a short bit of Googling turns out also interface/integrate with E*Trade - only this time, real money and real accounts, not a game. Now, what are the odds the same developer...
Exercise left to the reader.
-
Wow. Why bother with numerical IDs? It accepts usernames, too:
http://uk.fantasytrader.yahoo.net/cgi-bin/digitalcorporate/yahoo/registration.cgi?action=edit_profile&user_id=Willyjakes33
-
@PSWorx said:
The *real* WTF is that name, "Wilbledina". Seriously, WTF?
Yeah that was me. When I got there it was "Will_". I'm assuming the original name was "Will" and someone tested by adding an underscore.
I happened to be in a "Garbledina" type of way, and I guess the result wasn't pretty.
-
Wow. That is horrible failure.
-
-
So many user_ids and so little time... I should write a script
-
Service temporarily unavailable
Noooooooooo!
-
@JukeboxJim said:
If you were malicious, you would notice at the bottom of the Yahoo! Fantasy Trader homepage their setup is provided by a company called Digital Look Corporate Solutions who after a short bit of Googling turns out also interface/integrate with E*Trade - only this time, real money and real accounts, not a game. Now, what are the odds the same developer...
Exercise left to the reader.
Well, if you view the source of the E*Trade login page, you will find this comment:
<!--I think the last condition is the one that works-->
No need to say more, right?
-
@rc_pinchey said:
If anyone would like some guilt-free hacking, I've just created account number 16082. Feel free to bugger it up. ;-)
Of course, now they've disabled the profile-editing facility, I'm stuck with my (slightly borked) account details...
"Welcome fnord Tufnel%20%00 your game account has been set-up and you are now in your home area. From this page you can link to all the other relevant sections of the game."
-
@Faxmachinen said:
Now somebody write a script to randomly add "fnord" to all the profiles.And now my user name is fnord Tufnel%20%00... did someone...?
No. No, it couldn't be.
-
@rc_pinchey said:
@Faxmachinen said:
Now somebody write a script to randomly add "fnord" to all the profiles.And now my user name is fnord Tufnel%20%00... did someone...?
No. No, it couldn't be.
For we are trustworthy.
-
The scripted changes got the attention of their users. Now they verify the userid against your login credentials. If you try to use the link, it says your session has expired.
-
You think we did that, Good Hackers we are?
-
@dhromed said:
You think we did that, Good Hackers we are?
I think we did. Now I, fnord Tufnel%20%00, can rest sound in the knowledge that my details are safe from prying eyes.
Three cheers for us, the good guys!