The bigpug Moon
-
Video explains it all:
https://www.youtube.com/watch?v=CgJudU_jlZ8
-
Ok well I'm at work so a video is not helpful to me. There's no write-up?
-
Seen it on twitter today. Incredible.
Having code this incompetent is a screwup. but it happens. Not fixing it for two fucking years after being informed is inexcusable.
-
Company uses sequential numbers as authorization tokens.
-
Oh THAT bug.
Here it is in text format: http://www.dailymail.co.uk/sciencetech/article-2899243/Moonpig-security-flaw-exposes-details-3-MILLION-customers-Greeting-card-website-suspends-apps-reports-bug.html
Here's the original "white hat's" blog entry: http://www.ifc0nfig.com/moonpig-vulnerability/
-
-
The company was using sequential user id-s as security tokens.
-
You can just use user id after user id, and download all user data they have (partial credit card numbers, full personal infos etc).
-
Security tester informs them and they keep quiet for over a year and do nothing.
-
-
Never used Moonpig.
And now I never will.
-
-
That, and I don't send greeting cards; they're nothing but overpriced tat.
-
The company was using sequential user id-s as security tokens.
This not bad by it self. The bad thing is that they aren't doing any sort of data ownership. I mean, the logic they failed to apply is:
- Get user 123 details
- Is logged in user 123? No it's 124!
- 404
Something so simple.
Anyway, using the same ID's of the database for the endpoints is a bad idea, but I wouldn't do it. In this case a UUID is much better and the one used by MongoDB is quite good because it includes several things in it which can be useful but are very hard to generate by an attacker. For example:
GET /user/54a84230e232462f611f9441/details
Versus
GET /user/1234/details
-
Is logged in user 123? No it's 124!
Every mobile user was logged in with the same username/pass. Hard-coded.
-
I am dissapoint. I was hoping this was about Al Gore.<ManBearPig, of course>
Filed Under: Excelsior!
-
That's ManBearPig
I spy a title change coming...
-
Yes, I know. But a quick look and that's all I can think of!
-
The login token was their user ID, so all you had to do to convince the server that you were logged in was to send your user ID (or someone else's)
-
Dailyfail link ...
In anycase yeah heard about this today. Similar thing here:
Mr Moore discovered that by altering ID numbers in the site's URL, or web address, different records would be automatically downloaded without any additional security measures.
Except this wasn't just crap XMAS cards.
-
Fuck you. You British have about 47 newspapers and any time I link one I get bitching about how bad it is. How about you figure it the fuck out and get back to me?
-
FYI, the Dailymail probably ran a "Princess Diana story" as their main story after the twin towers fell.
-
Well, you could get the 9/11 stuff anywhere.
-
It was an exaggeration, but I wouldn't be surprised if they had.
-
The point of you can't expect Americans to know which papers are good and which are not. Here in the US we solved this problem by making all our papers shit.
-
The Dailymail is kinda infamous, I have spoken to American friends and they made the dailyfail reference before I. In anycase the paper is possibly the worst paper ... at least the Dailystar has boobs.
-
at least the Dailystar has boobs.
Wait, boobs in the newspaper?
Filed under: Maybe print isn't dead!
-
Wait, boobs in the newspaper?
For years, newspapers in the UK were split into two kinds. “Serious”, with real news, and “tabloid”, with real boobs.
-
For years, newspapers in the UK were split into two kinds. “Serious”, with real news, and “tabloid”, with real boobs.
The problem is nowadays, the 'serious' papers are almost as bad as the 'tabloids'.
-
-
-
well, I wouldn't go that far
Hey, they started out real.
The problem is nowadays, the 'serious' papers are almost as bad as the 'tabloids'.
You read the Times or the Daily Fail? (I assume you don't read the Indy; it's just so… lightweight…)
-
You read the Times or the Daily Fail? (I assume you don't read the Indy; it's just so… lightweight…)
I don't read any papers at all
-
I don't read any papers at all
You're missing out. The Grauniad and the Torygraph are reasonable papers (with very different political persuasions) in that they actually bother to get people to write for them who can both think and put a decent argument down on paper.
-
The problem is nowadays, the 'serious' papers are almost as bad as the 'tabloids'.
I'm sure they always were, but in different ways so that everyone could pretend that they weren't.
-
You're missing out. The Grauniad and the Torygraph are reasonable papers (with very different political persuasions) in that they actually bother to get people to write for them who can both think and put a decent argument down on paper.
I have never seen much out of the "Torygraph" (not that caught my eye), but the Grauniad is pretty embarrassing. It's the Daily Fail with a better pedigree but equivalent muck. Not that I will argue that it isn't perceived as respectable by the bien pensant.
-
Here in the US we solved this problem by making all our papers shit.
I think that's also how it works in UK.
Poland, OTOH, has one serious newspaper which everybody hates, and two tabloids which everybody officially hates, bud reads anyway. A bit different for magazines - there are "the evil ones" (leaning towards ruling party) and the ones that speak "absolute truth" (leaning towards opposition).
Wait, boobs in the newspaper?
One of our tabloids kept running the topless models on the last page. You know, the one that's visible when you put the paper into an expository sleeve for everybody to see.
Now that's some real balls.
-
FYI, the Dailymail probably ran a "Princess Diana story" as their main story after the twin towers fell.
I thought that was The Express?
Wait, boobs in the newspaper?
Yes. See Also: The Sun. If it's safe for Page 3 of a daily UK national paper, it'll probably be SFW. Unless you're in the US in which case it's probably NSFW.
-
I thought that was The Express?
Yes, it is normally the Express that runs Diana stories.
@PJH said:Yes. See Also: The Sun. If it's safe for Page 3 of a daily UK national paper, it'll probably be SFW. Unless you're in the US in which case it's probably NSFW.
Maybe, maybe not; I'm not going to risk it though.
-
Amurika, the land of the prudes.
-
This seems like as good a place as any to post this question:
Why the fuck do we have separate toilet rooms? It's not like you're going to accidentally see someone's junk. You'd have to stick your head into a stall or behind the divider between the urinals in order to do that.
-
Why the fuck do we have separate toilet rooms?
You mean why do we have individual stalls rather than one long communal trough?
-
No, why do we have separate rooms full of stalls for men and women?
-
Because Jesus?*
* and that's actually a semi-serious answer...
-
Which toilet does a transgendered woman go into?
I will accept any definition of "transgendered woman".
-
The ladies' is customary I believe...
-
No, why do we have separate rooms full of stalls for men and women?
Tu humiliate women with long queues.
To be honest I don't think anybody does it consciously, but most of the time it turns out like that. Because using urinal is much faster, turnaround in men's restroom is much faster than in women's, so women's restroom should have more stalls to have matching capacity. However in practice very few builders respect that and women's restrooms often end up seriously undersized.
divider between the urinals
Most toilets I've seen don't have those. The urinals are usually side-by-side without divider. Or sometimes there is even just a pee wall.
-
Or sometimes there is even just a pee wall.
Every wall is a pee wall if you're brave enough.
-
Why the fuck do we have separate toilet rooms?
I've been places with unisex toilets, so they exist.
It does just mean you're queueing with the women though.
-
Or sometimes there is even just a pee wall.
There are a few pubs I've been to where the trough is lightly frosted glass so you can have a view of the dance floor while going. There's only a difference in light for privacy!
There was a controversy over some public urinals too. http://mobile.abc.net.au/news/2014-12-23/complaints-about-public-open-air-urinals-on-gold-coast/5986142
A few months ago I was in a tdwtf debate over urinal troughs: at that time virtually all my urinating outside my own house was into a trough. Office, shopping centre, bus station, theme park, pub. Well, several of those have been refurbished and individual urinals put in, and a change of office has resulted in inverting the ratio.
-
I prefer the the metal trough found in awful pubs in the UK.
It is the best when the flush comes on while in the act ... It is kinda like you a pissing Niagara falls.
-
I've been places with unisex toilets
we have a sanitary areas with three options: a urinal, a men's and a ladies. Everybody can check that you are a dirty poo slinging monkey or are washing your hands properly.
-
Everybody can check that you are a dirty poo slinging monkey or are washing your hands properly.
-
That chart is missing the "My mom used to yell at my so hard to do it that all I can hear is her screams if I don't"... or "trauma" if that's too longo for you.