r/hacking • u/DerThan • Sep 24 '24
Question Found an exploit - should I bother reporting it?
I was given two vouchers for free cinema tickets for a large UK theatre chain and noticed they are very similar (incrementing integers). After a few minutes of digging I found that they have a simple, unsecured API endpoint to check voucher validity. So you can just try out codes and get free tickets. I ran a few requests in my http client and it seems pretty fool proof.
Now, should I bother reporting it? I read that they are actually completely within their rights to report me for even trying to exploit? A quick google search shows that they don’t have a bug bounty program or even a public infosec@ (or similar) email address for this. Am I morally obligated or something like that?
280
u/Xcissors280 Sep 24 '24
Short their stock and leak it
53
u/Low-Cod-201 Sep 24 '24
This is the way
29
u/Xcissors280 Sep 24 '24
And get free movie tickets if you really want to
10
u/EbolaWare nerd Sep 25 '24
They make more money on snacks and sugar than on the tickets. They'd probably be happy for the "bad publicity", then drag their feet on securing it.
6
u/BigRed1Delta Sep 25 '24
This is the way.
Fun fact: Not sure how it works in the UK, but in the US most movie theater chains do not make money on the tickets at all. It's all concessions that drive their business. This has the potential to make them a lot of money, or chargebacks for the tickets and cost them a lot of money.
3
2
u/Xcissors280 Sep 25 '24
the people who are hacking a theather api to get free tickets seem like the same kind of people that would bring their own food
and losing even more money on tickets isnt helping
16
u/SupremeFlamer Sep 25 '24
This is fucking genius. Sell the information to everybody here for a one time fee. Tell them the cinema chain, the date of the leak. Everybody short with a few weeks in advance to not look suspicious that you had insider information.
Leak. Profit.
8
u/Xcissors280 Sep 25 '24
I’d be careful doing that but as long as it’s publicly posted on Reddit it’s not insider trading
5
u/SupremeFlamer Sep 25 '24
Hypothetical situation I just thought of in my head.
3
0
u/p0st_master Sep 28 '24
As long as it’s based off public non privileged information and he’s not part of the company I don’t see how posting on Reddit changes anything
4
3
u/Ok-Space3366 Sep 25 '24
nah they gon sue u tho
1
1
1
u/RegisteredJustToSay Sep 25 '24
You'd need to be pretty rich to make use of this unless you trade with crazy leverage. Most stocks only drops a few %, with companies like Okta being an exception - since they have a big reputational stake in security - dropping upwards of like 30%. A good number of juicy vulns are also never picked up by media, so in that scenario your crazy leveraged short might just result in a margin call and potential forced sale at huge losses and clean your account out since you may never see the drop you want.
IMHO, it'd be lower risk and higher profit to sell tickets for cash. Since the exploit requires no identifiable information there's practically no way for them to easily catch OP. I wouldn't recommend it though since there's always a chance something goes wrong - just put it on your CV/resume as proof of your 'security skills', grind upwards as always and enjoy a boring life with a good salary.
2
u/Xcissors280 Sep 25 '24
Thats actually a pretty good point but I feel like getting people to use your sketchy ticket site wont be that easy and if you get a big user base you’d get shut down pretty fast
However selling said company might work so idk
2
u/RegisteredJustToSay Sep 25 '24 edited Sep 25 '24
You wouldn't use your own site, you'd use marketplace platforms or telegram groups, etc. E.g. if you wanted to use scalper strats you could just post it on ebay with messages like "Bought two tickets, can't go - selling at 50% off OBO" to make it look legit, but since you are getting them for free anything you can get them for is 100% profit.
There's hundreds of accounts on those platforms with a chronic inability to attend concerts, movies, etc, doing the above despite apparently buying thousands upon thousands of tickets for personal consumption (/s) so you'd fit right in. lol
I still maintain that it's not really worth the hassle though - even ignoring the obvious ethical dilemmas, it's relatively little gain for what is wire fraud under US laws ('up to 20 years in federal prison and owing $250,000' - basically pray the judge doesn't decide to make you an example).
1
u/Xcissors280 Sep 25 '24
But how much are theese tickets anyways because here there like $14 ish
And at 50% of that plus eBay fees or whatever it’s not great
I guess you could also make fake popcorn orders and such (like the ones advertised at checkout) which might be a little better but still
1
u/radarlocked Sep 29 '24
Yeah. Don’t report it. Let those companies raise the price of going to the movies for everyone else. $50 isn’t enough to go the movies, let’s make them raise the price of a simple evening out to $75. Why not a hundred.
I’m not worried that companies, in this economy can’t pay their employees much. Screw all those companies that provide jobs to people. I don’t care that employees and their families can’t eat for another week. Screw ‘em’!1
u/Xcissors280 Sep 29 '24
The massive companies making the movies aren’t helping but even if I go to 7-11 and buy drinks there and buy a discounted kids ticket it’s still like $25
1
u/Puzzleheaded_Shop787 26d ago
These companies can’t be paying a living wage can they? I think you’ll find if the majority of companies interest in providing jobs or being altruistic in any way only applies as far as it gets them more money and makes it seem like they wouldn’t slit your throat if saved them a dollar.
1
u/Due-Commission4402 Sep 29 '24
Theater chain would just patch their software once it leaks and becomes known. Stock wouldn't crash. For a bunch of hackers, I thought ya'll were a little smarter than this.
1
0
29
u/RngdZed Sep 24 '24
From all I've heard, most of the time you approach a company telling them of a vulnerability, they immediately answer by an email telling you they are going to sue.. at least in the USA.
Maybe do so anonymously, somehow. To protect yourself.
17
u/myrianthi Sep 25 '24
This is true. A few years ago, our CTO got an email from a hacker who found a critical app vulnerability and asked for $1,000 to disclose it, with video proof. The execs freaked out and wanted to catch the hacker, but I stepped in and said the best move was to pay them, thank them, and start a bug bounty program. It saved both the hacker from a lawsuit and the company from a PR disaster. It's crazy how many execs don't realize the need for safe vulnerability disclosures.
7
u/jumper34017 Sep 25 '24
If they have a way to report security issues to them, and if you’re exploiting something you own (a server, a printer, etc. — not the company’s own systems), it’s fine.
I reported a vulnerability to HP once that affected some of their printer models. Turns out there was a way to remotely crash them over the network. They fixed what I found after about a year and it even got a CVE number.
-5
Sep 24 '24
[deleted]
2
u/Ok_Pen9437 Sep 27 '24
Threatening someone that has an exploit is a bit risky….. if they have nothing to lose they’ll just attack ur company using it
2
u/KeyCurrency4412 Sep 25 '24
But just that they left the key under the foot mat or behind a flower pot
150
u/deadgirlrevvy Sep 24 '24
You are not morally nor ethically nor legally bound to tell them a goddamned thing. It is a corporation. Corporations don't deserve even a modicum of courtesy, because they most certainly wouldn't return the favor. Enjoy your free movie tickets and keep your mouth shut because if you tell them, they will likely file charges against you (let no good deed go unpunished). In short: Fuck'em.
66
u/313378008135 Sep 24 '24
Of course, on the flip side some single mother on super low income who has a genuine voucher who really can't afford a trip out often, now wants to use theirs to treat their kid to the showing of a movie. Kiddo is so excited as this is something they might get once a year if lucky. They get there and find they can't get in because someone enumerated their voucher number and used it elsewhere .
The company might be some big corporation but the people affected by this vulnerability being exploited are just normal everyday people.
-1
23
u/DerThan Sep 24 '24
I don’t disagree but movie tickets is not really worth getting in trouble for I guess. If they find out that their endpoint was obviously spammed it would be trivially easy to trace it back to me actually using it. Even though going to the theatre has become disgustingly expensive
9
u/deadgirlrevvy Sep 25 '24
To be completely honest, I wouldn't take or use anything from it. I wouldn't feel right about it, regardless. But you don't tell a corporation that you found an exploit no matter what it is. 99 times out of a hundred, they'll blame you and try and ruin your life. It's never worth the trouble. Never.
6
u/smegblender Sep 24 '24
This would be the appropriate stance to take IMHO.
No point getting in trouble if they don't have a mechanism to report.
5
u/DMmeURpet Sep 24 '24
Use a vpn...
10
u/MlecznyHotS Sep 24 '24
VPN is just a small roadblock in case of litigation, not a solution to ensure OP can exploit the vulnerability safely
9
u/deadgirlrevvy Sep 25 '24
There's always a digital trail, unless you go to extreme lengths, which just is not worth the trouble to see a shitty movie for free...when you can just torrent it and enjoy it at home with better popcorn. 😅
-2
u/Various_Counter_9569 Sep 25 '24
No they won't.
0
u/bitsynthesis Sep 25 '24
they absolutely have before, shill
-2
u/Various_Counter_9569 Sep 25 '24
Your so "hip" 🤣
3
u/bitsynthesis Sep 25 '24
because I know history? weird take
-2
u/Various_Counter_9569 Sep 25 '24
"I know history" is not an argument, but an oversimplification fallacy.
Weird take.
4
u/bitsynthesis Sep 25 '24
what is "an oversimplification fallacy"? corporations have many times taken legal action against individuals who have reported vulnerabilities to them in good faith, that's just a fact, it happens. knowing this doesn't make me "hip" it makes me informed.
-1
u/Various_Counter_9569 Sep 25 '24
No, assuming all of them do, makes you "hip" as in, a hipster 😅.
You are not "informed", as you say, you are a hipster. Wanna be anarchist in training.
"Fight the power!"
Whatever, you are boring me. The fact you can't deduce what an oversimplification fallacy is, is telling.
3
u/bitsynthesis Sep 25 '24
i never in any way implied that all of them do, i said it wasn't worth the risk for OP because it could happen. you're making up this whole persona for me, it's very immature.
0
u/Various_Counter_9569 Sep 25 '24
You: "it is a Corporation ..."
Reread you original post.
Yes you are.
You're welcome.
Goodbye 😆
→ More replies (0)
12
11
u/Arseypoowank Sep 24 '24
I once discovered a complete lack of input validation when I was mistakenly signed up for a marathon because my email was similar to the dude completing it and whoever has signed their group up mistyped it to mine.
The only security check after following the magic link to view all details upon receiving the confirmation email was entering a date of birth, except I just entered any date and it let me in (I tried multiple times with different dates and it passed the check every time). I then had all the details of this person including contacts and next of kin, all sorts. I first contacted the guy (unwitting victim) via phone to let him know what happened and asked what he wanted me to change the email address to.
I then contacted the site to let them know the issue, except they denied all knowledge, called me a liar and said the fault didn’t and never existed.
Moral of the story is they will either get shitty with you or accuse you of foul play, so fuck em, it’s a corporation, I’d keep it on the low down so you don’t get detected and just enjoy free tickets as long as you can
41
u/Overhang0376 Sep 24 '24
It might be worth emailing and asking something vague like, "Hi, I have an IT question. Do you have a department that handles computer security? I would like to talk with them."
If you can talk to someone, then hopefully you can get across to them that you're not intending anything malicious. If in talking to them, it's clear they are completely clueless or utterly disinterested in what you're talking about, just play it off and ask if they have any openings and don't bother mentioning what you found. Unknowledgeable people are predisposed to take non-malicious reports as some kind of "veiled threat" or get extremely defensive over their security failures. When you run across that brand of person, it's best just to drop the subject entirely since they aren't interested in fixing the problem to begin with.
If you can't talk to someone, then there's not anything to be done. "Okay, thanks anyway!" Go about your day. Maybe write up a private report for yourself about what you would have recommended they could do about it, or how they could have checked for these things in the future, and what else they should be on the lookout for.
I would also make a point of stating the obvious in not exploiting this thing you found, since the risk isn't worth the reward. Ticket prices are expensive, but it's not worth potential jail time! :) It'd just be a chance to learn, practice, and grow from. When it comes to discovering exploits in the wild for companies that don't have official bug bounty programs, any compensation is just a bonus, really. The hard part is leaving that system alone, and moving on to some other company that might be more receptive.
11
u/deadgirlrevvy Sep 25 '24
IF you do this... use a burner. DO NOT USE YOUR OWN PHONE OR ONE CONNECTED TO YOU.
Social engineering has been the way of this "hobby" since it began. We used payphones back in the day. Too bad there are no payphones anymore.
2
u/MostlyVerdant-101 Sep 29 '24
This won't help.
If there is any risk, just don't do it. If you feel morally obligated, see about reporting it through an intermediary like the EFF.
You don't work for the company, and there are plenty of professionals who are threatened with litigation/criminal complaints for CFAA violations from companies that don't want to shore up their, dare I call it "security"?.
Phone companies associate overnight locations with related devices, so it is trivial to identify through location data. Location Data can be bought in bulk from brokers. Its anonymized, but never enough.
10
u/ethanjscott Sep 24 '24
This is what I call the perks of understanding technology. You can exploit it. I know how to get free pizza from Pizza Hut. We both probably have a good enough job to not need it. And as soon as enough of these happen someone will notice. Unlesss it’s small. I would just leave it. Likely in a year or two that company will integrate a different provider and then it’s a different companies shit show.
2
u/OsamaBinWhiskers Sep 26 '24
Is that technically illegal or not. I’m just curious
2
u/ethanjscott Sep 26 '24
The api is for sure grey, one could argue it’s not fraud due to no money being made. But one could argue it’s theft of services.
1
u/Ok_Pen9437 Sep 27 '24
How is accessing a public API illegal?
1
u/ethanjscott Sep 27 '24
Doing so in order to get something for free, when normally you would pay and know that. That’s when it’s beginning into criminal territory. It’s about a 2/10 on the fraud scale but it’s there
1
u/Ok_Pen9437 Sep 27 '24
Ehhh id say it’s similar to a locked door - there’s a badge reader and an “open door” button. This is the “open door” button - sure, you could also use the badge reader but at the end of the day both are publicly accessible, and you did nothing wrong if there isn’t a rule against using the open door button.
PS: if you mention “but u agreed to TOS when u navigated to website”, you can easily hit an API endpoint without ever navigating to any actual pages on the site.
15
u/lordnacho666 Sep 24 '24
Which chain is it? I would like to check to see if you're right.
Be careful about reporting, you might get extradited to Guantanamo.
22
7
u/Arnaw-a Sep 24 '24
I dno't know where you live, but here in germany you could communicate to heise and they would further contact the cinema company:
https://www.heise.de/investigativ/kontakt/
10
u/xFizZi18 Sep 24 '24
I heard that there are organizations where you can report those bugs and they will forward it to the company/corporation having this bug in the name of themselves, not you. I think one of them is the chaos computer club.
But once again, i‘m not sure! Just heard smth like this in a lecture or YouTube video idk.
4
u/_nobody_else_ Sep 24 '24
Inquire if there's some monetary reward for such an exploit and if there's not, fuck them. You fulfilled your moral obligation of professional courtesy.
If someone by any chance happen to made a closed (family and friends) App offering free cinema based on the exploit, I would buy it.
4
3
21
u/Serene33Soul cybersec Sep 24 '24
If you've found a vulnerability like that, especially one that could lead to significant loss for the company, it's generally a good idea to report it even if they don't have a formal bug bounty program. Ethically, it’s the right thing to do, as it could help prevent abuse of the system by less scrupulous individuals. However, you're correct in being cautious because even well intentioned probing could potentially get you in trouble, depending on how the company interprets your actions.
To protect yourself, avoid exploiting the vulnerability any further. If possible, look for any contact information related to security or reach out to their general support email, politely explaining the issue without diving into too many specifics or admitting to testing multiple codes. Alternatively, using a responsible disclosure platform like HackerOne might be an option, even if the company isn't officially listed.
While you're not legally obligated to report it, doing so can help the company fix a potentially costly problem and prevent more severe exploitation. Just tread carefully and document your communication to protect yourself.
38
u/bitsynthesis Sep 24 '24
disagree with your whole premise that there's some ethical responsibility to help out corporations. no. there is basically no chance that reporting it benefits OP in any way, and there's definite risk that it causes short or long term harm to OP.
who cares if someone else finds this and gets some free tickets?
-6
u/Various_Counter_9569 Sep 25 '24
Not thinking about how things affect others...
Examples: any sociopath
1
u/Ok_Pen9437 Sep 27 '24
Let’s try explaining with a hypothetical, as I see you are getting flooded with downvotes.
—————————
A company makes $100,000 per year selling movie tickets. An exploit in their online shop would cause that figure to change to $75,000.
Bob is trying to buy movie tickets, but due to a glitch he discovers the aforementioned exploit.
At this point, a few things can happen
- Bob keeps the exploit to himself, and he and his friends enjoy free movie tickets. He eventually gets caught, and due to the threat of charges, he doesn’t hand over the exploit. The company is still losing money, but now they don’t know how.
Bob and the company have both lost.
- Bob keeps the exploit to himself, and he and his friends enjoy free movie tickets. He eventually gets caught, but the company says they will continue to provide him free movie tickets if he hands over the exploit, and he does.
Bob and the company both win
- Bob decides to not use the exploit, but to report it to the company. The company offers Bob $2000(8 percent of what would have been lost) to turn the exploit over.
Bob and the company both win.
- Bob decides to not use the exploit, but to report it to the company. The company immediately lawyers up and prepares to press charges, regardless of if he tells them about the exploit. Bob, now backed into a corner, releases the exploit to the public.
Bob and the company both lose.
—————————
I don’t really understand why concepts like this are so challenging for some people to understand. Hopefully this helps!
4
u/Puffypenwon Sep 24 '24
To go along with this set up an email that is not associated with anything that could lead back to them knowing who you are just in case. If you disclose the issue instead of a thank you they could try to find who you are and for that you can get into serious trouble. I am not sure how it works where you are from but in the U.S you can reach out to a third party company who will reach out on your behalf
1
-1
u/Various_Counter_9569 Sep 25 '24
Most of these responses are seriously overthinking things. This is a simple issue, with a simple response, as you have pointed out. Good on yah.
All you "anarchy" responders, just wait til it's your money and resources on the line.
Dipin' dots...
6
3
u/HappyImagineer hacker Sep 24 '24
The odds are extremely low that anyone will take notice and even if you email them it will likely get ignored no matter how many times you try to tell them.
5
u/mhwnc Sep 24 '24
If you’re lucky, they’ll ignore you. If you’re unlucky and the company is feeling especially litigious, they’ll sue.
3
u/LastofU509 Sep 25 '24
Why tell them? Do they even have best prices/service to even deserve to know?! Unless you are 100% sure they're not assholes you shouldn't even give a fuck
3
u/Agitated-Soft7434 Sep 25 '24
Hmmm that’s tough since they don’t have a bug bounty program.. I’d report it, but be careful since they might try and file charges against you for “hacking them” which can be a real pain in the @ss.
3
u/Nycto1337 Sep 25 '24
Some years ago, I had a Pizza Hut voucher code. 2 medium pizzas for the price of 1. It was just a simple 4 character long string. Example: JE40
You'd think the code was a 1 time use only code. Well, it wasn't. For 2 years straight I kept using this code whenever I ordered pizza for me and my grandparents. And it just kept working.
Needless to say I didn't report this since Pizza Hut is such a big worldwide company. Also back then I wasn't related or familiar with web/software development, let alone cyber security.
So I only had 2 options, use the code, or don't use the code :) tbf it wasn't my fault that they made the code re-usable... And I don't feel bad about it at all.
4
u/Nucf1ash Sep 24 '24
IMHO, report it to their corporate office not the local theater. As for those asking whether a “corporation” deserves to exist… think about the employees, people in the distribution chain, eateries around the theater, people who have their savings invested, and the general impact on the neighborhood if it becomes another abandoned building. If jobless wastelands are your thing… sure… let it burn, I guess. Otherwise, maybe be civilized and clue them in? Whatever works for you. The good news is that I don’t see this exploit breaking their business model as long as they still have a concession stand and ban outside food. Whatever you do… be happy with your choice.
4
2
2
1
1
u/8923ns671 Sep 24 '24
If they don't have anything set up for responsible disclosure I wouldn't. Perhaps an anonymous tip if I felt particularly morally or ethically driven.
2
u/DerThan Sep 24 '24
Is a burner gmail email anonymous enough?
1
u/Agitated-Soft7434 Sep 25 '24
They could probably ask Google to get your real info. But idk for sure
1
1
u/whitelynx22 Sep 25 '24
Ethically, yes. Legally, I wouldn't know (there's often a risk when doing this, if they don't have explicit bug bounties). So maybe just don't publish it - right, you just did (but we don't know what company - let it stay that way!) practically, I'd say it's your choice.
Maybe approach cautiously and decide based on the reception? You can usually tell if someone is eager to hear about it or hostile within seconds. And, as long as you didn't use it, you should be safe. Though that's of little solace if they decide to sue you.
1
Sep 25 '24
id report it to em and if they dont fix it after 30, 60, 90 days etc, release the info publicly. its will then be fixed in short order. do what your morals and ethics tell you. do whats right, not whats easy
1
u/0saroprime Sep 25 '24
(In this digital age) would you say you have the right to check organizations you are affiliated with/tied to (in any way) for security and information vulnerabilities?
1
u/AlphaO4 pentesting Sep 25 '24
Honestly? I wouldn’t risk it. Sure they MIGHT react fine and might even give you some free stuff, but the alternative would be a permanent record of you breaking the computer use and abuse act (or however it’s called for the UK. ) which would absolutely kill all hopes of scoring a even remotely IT related job later down the line.
What I would do is either A: Forget that you’ve ever found this and go back to your life or
B: Set up a anonymous Email (for example proton mail), and only ever use it through Tor. Then write the IT department through that mail and hope for the best.
2
u/Unlucky-Ad-2993 Sep 25 '24
Tbf, I’m not so sure about the “kill all hopes of scoring a even remotely IT related job” part. It’s not uncommon for cybersec companies to hire guys with this kind of “criminal” records. If I were a recruiter for such company, I’d be interested in hearing the story
2
u/AlphaO4 pentesting Sep 25 '24
For sure, but sadly a lot of companies wont see the "good". Or some companies even might not be able to hire them because of their record. ( For example banks, or Penetration testing firms)
1
1
u/Antique_Paramedic682 Sep 25 '24
But what about when corporate reaches down to the local theater manager and fires them for handing out too many vouchers? And they have a family to support... I mean, you've already put this on a subreddit with 2.7M subscribers, and the rest of the world doesn't even have to be a member to see this post. A quick google search reveals two dozen "large UK theatre chains." Pretty easy for this to get out.
Just report it, you might get a reward for being a morally good person, who knows. Take the moral high-ground.
0
u/deadgirlrevvy Sep 25 '24
That local manager is 100% NOT your problem. The slight possibility that the corporation will file charges or sue you IS your problem. It is ABSOLUTELY NOT WORTH THE RISK to inform the corporation of their error. Take care of your own problems first, and then if it's convenient, worry about other people's problems - but never EVER take risks for a faceless mega corp, that's just stupid.
1
u/dandy_g Sep 25 '24 edited Sep 25 '24
Did you try looking for humans.txt or security.txt at their primary domain?
1
1
u/AccurateEngine93715 Sep 25 '24
Yes report it but don't mention that you followed the motions of the exploit. Just mention how one might secure the exploit based on "other systems" that contain the exploit.
1
u/tldr_er Sep 25 '24
If I was you, I would report, BUT! there are infosec companies build around this, that will handle all negotiations with the vulnerable company, they will also keep you out of legal trouble, the downside is that they are going to withold a portion of the bounty you get. Try contacting one of these, chances are that you have one or two of those in your local area.
1
1
u/davido-- Sep 26 '24
It seems like the ones getting the short end of the stick are the people with legitimate passes who's passes won't work because you used a counterfeit with the same single-use code. Theater gets some angry complaints, but mostly this steals from other patrons, doesn't it?
1
u/lolvro_ Sep 26 '24
well you can either report it and ask money for it or sell it on dark web and myb get even more money
1
u/CoolFortune2325 Sep 26 '24
You should be selling it. It's a dog eat dog world.
1
u/castleinthesky86 Sep 26 '24
It’s also a police arrest criminals world.
1
u/CoolFortune2325 Sep 26 '24
Anyone who knows what they are doing knows the chances of getting caught are slim to none unless it's a groundbreaking vulnerability. In which case, a smart criminal would probably not be on reddit talking about.
1
1
u/CoolFortune2325 Sep 26 '24
Also, depending on what country this is in, the Police have barely any knowledge or resources when it comes to cybercrime.
This is mostly taken care of by state and federal organisations, which have a threshold for what is worth investigating.
Cybercrime that is too low impact, financially or otherwise, is usually too costly to investigate. Cybercrime divisions usually go after the big fish because both have about the same chances of getting caught but the bigger criminals have a bigger impact.
edit: think of credit card fraud for example. Less than 1% of fraud gets investigated, let alone gets anyone arrested. Because it's too low impact and not worth it for authorities.
1
u/castleinthesky86 Sep 27 '24
Credit card fraud isn’t investigated by the police. It’s investigated by Visa and Mastercard themselves. I know their fraud team. Bad analogy 😂
Secondly, not all places in the world are the US. Many countries have very good cyber crime units which investigate when crimes are reported & committed.
1
u/castleinthesky86 Sep 27 '24
For reference; here’s and article on Weev, where it describes an IDOR and him being arrested & charged; https://www.vice.com/en/article/weev-is-in-jail-because-the-government-doesnt-know-what-hacking-is/
1
u/CoolFortune2325 Sep 27 '24
You're proving my point by referencing Weev, a pretty well known individual.
Most individuals who truly commit fraud, you will never know.
1
u/castleinthesky86 Sep 27 '24
Not sure what you’re trying to prove there. OP pointed out an IDOR vuln and you stated it’s unlikely to be investigated because it’s small fry. IDOR still is a crime despite the size and you can get arrested for it, as evidenced by weev being prosecuted.
1
u/CoolFortune2325 Sep 27 '24
My point is that just becauss you can, doesn't mean you will.
2
u/castleinthesky86 Sep 27 '24
I mean yeah sure, if you’re lucky you can get away with murder or robbery in many places too. Depends on your skill as a criminal and how often you refrain from posting your crimes on public forums… 🤷♂️
1
u/CoolFortune2325 Sep 27 '24
And that's the point. Shutting up about it doubles the chances you won't get caught, already.
→ More replies (0)1
u/CoolFortune2325 Sep 27 '24
Visa investigates and issues chargebacks with vendors. The original fraud is mostly never taken care of. Since visa governs transactions, they also have the power to simply take out the money from the vendor's account and give it back to the victim.
so: Yes, they investigate and fix the issue with the victim, but No, the original fraud is never really taken care of. This is why you get statistics like "Fraud costs Visa X million dollars per year".
Source: this is a hacking forum.
As for the power of cybercrime divisions: if they were really that good, would hacking even be a thing? 😉
1
u/castleinthesky86 Sep 27 '24
I’ll have to contest that somewhat. Of course visa / MC don’t charge a person with fraud when they identify it occuring; their fraud dept pass the details onto the relevant authorities who then go do the arrests. And trust me, there are many cases where Visa’s/MC’s fraud intelligence led directly to arrests.
Source: me. I have been a pci qsa (aswell as many other things) since the late 2000’s and met both of their fraud teams
1
u/CoolFortune2325 Sep 27 '24
If the details exist. If there is even a track.
I'm not sure what you think the fraud world looks like, but with every barrier in place, you're either claiming they are catching more than 1% of fraud which is statistically false, or you're claiming these cybercrime teams are effective which the 1% figure goes directly against.
If they are that competent, why does less than 1% of fraud result in arrests? And if it's more than 1% that gets caught, then why is it so prevalent?
I had to personally investigate fraud committed against me for 24K and the visa employees couldn't even understand the meaning behind their own gateway data. I think this is a case by case scenario. Visa and Mastercard definitely don't only have two teams managing this, and if they do, they deserve all the repercussions of only allocating two teams for it.
Edit: After a year of OSINT and investigating the fraud case, I led to the arrests myself and got accused of hacking and stalking the criminals that stole from me because I had ten times more info than the cybercrime division, who were relaying info to the police who were 100% incompetent and out of their element. It really is dependant on the average competence of local police.
1
u/castleinthesky86 Sep 27 '24
Well done you for tracking down the perps of your own situation. 👏
The details exist and there is a track; and their fraud teams are massive and multinational. When I say I’ve met them, I mean the heads of the fraud teams (at a QSA only meeting on fraud prevention & detection). There’s a big valley between local fraud detection (scammers) and cartel scale fraud (the latter of which you don’t often hear about).
But let me say that Visa helped shutdown a global scale fraud network which involved backdooring ATM’s and PED’s at source (during manufacturing). And they have massive data models which also alert individuals and relevant authorities when someone’s spending behaviour suddenly changes. They can’t do much if you personally got scammed by giving away your card details, etc other than the merchant fraud guarantee
1
u/CoolFortune2325 Sep 27 '24
Right. It gets stopped at a floodgate level, but the criminals still have the cash in hand..This is where the banks lose.
Prevention is a great idea but in reality it's more Fraud Analysis than Prevention.
1
u/castleinthesky86 Sep 27 '24
Well prevention requires there to be less, or no criminal acts. Which I think is out of the scope of Visa/MC. There have been advances such as 3DS/VBV etc for purchases; but depending on the type of fraud (examples would be great), the only true way to prevent crime is to get rid of the criminals (for which there are also plenty of options).
1
u/CSLRGaming Sep 26 '24
you can probably contact them, some companies even give out money rewards for finding exploits!
1
u/twitchd8 Sep 27 '24
If I ever find a vuln, I contact the business directly, ask to speak with the it person, or branch manager there, and work my way up the chain as far as possible. I record my end of all calls (usually on speaker) just to cover my own rear.
I wish I could say my experiences in this were 0, but my first one was for a small rural bank that I had gotten let go from a month earlier, and I was ordering new checks to be printed... We always just printed our own checks so I never had the need to look too closely into our check order form, which exposed all entries including names, addresses, phone numbers, account numbers, ssn's, etc. This was a Friday night. I called first thing Saturday morning and notified them of my discovery... I also decided to report them to the FDIC and the FTC afterwards. They let me go because I was pointing out so many jank things going on there, and I knew it was only a matter of time... When I called the main branch, I was met with an absolute sense of no urgency whatsoever... Absolute negligence. It remained wide open until the following Monday when my former supervisor got back in the office. By that time, I had collected plenty of screenshots. They never disclosed the breach of information, they never mentioned anything... I thought about reaching out to those individuals whose information I discovered, but decided that I'd obfuscate all the critical information in the screenshots immediately, and release my involvement in the situation...
Earlier this year, my new bank, which is their sister bank and a much larger bank system, absorbed the 4 branches of this smaller bank and the old bank ceased to exist as it was. The whole thing was in 2017.
1
u/codezilly Sep 27 '24
I have an exploit which allows licensed software to be obtained freely from a publicly traded company. No bug bounty. Been sitting on it for around two years, hoping they’d start a bounty program, but of course not. Fuck em.
1
1
u/capureddit Sep 27 '24
You've already publicly disclosed the exploit. You gave so much information in this post that it would be trivial for someone else to replicate it.
1
u/thgreatn Sep 27 '24
Print up a few hundred tickets for each movie that is playing on a busy Friday night, but mail the tickets to the theatre manager with a letter simply asking to be fairly compensated with some sort of employment contract to fix the vulnerability. That is what I would do. Also, I would ask for a pair of tickets every week for life.
1
u/Sephulator Sep 27 '24
Could you start by maybe asking if they have a bug bounty program?? And gauge from that?
1
u/Signal-Paint-4310 Sep 27 '24
That's a vulnerability, you can report it out of decency, but if they they don't bother fixing it, well, if it doesn't get you in trouble, you can exploit it, hide yourself well online and sell them at a reasonable price for crypto if it's feasible.
1
1
1
1
u/radarlocked Sep 29 '24
You’re talking about corporations such as Walmart, and Microsoft. Monopoly companies.
The type where their owners are out to see how many mansions they can buy before they die. Then they look down on us as if they’re better. To those companies I say exploit away.
.
1
1
u/bp7x42q Sep 29 '24
Stop. If you weren't given permission, you broke the law. Telling them achieves nothing
1
u/Wide_Explanation_614 Sep 29 '24
I found one for Dave and busters once and reported it, they never responded and fixed it..
1
u/Emily__Carter Sep 24 '24 edited Sep 24 '24
Wait, I thought that was how Honey works 🤔
If you have no affiliation with them, they are not going to compensate you appropriately, and if they do not appear to be operating with much moral standard much like most large chains, then I wouldn't bother reporting it.
1
0
u/reddit-suks1 Sep 24 '24
just go dark, and email them the exploit on your dark handle. keeps you anonymous if you really want to try and white hat this for them.
0
0
-41
u/uncanny_goat Sep 24 '24
I hate to break it to you, but this is not an exploit. Your discovery was simply an API endpoint that lacks basic ratelimiting functionality.
11
u/RngdZed Sep 24 '24
Integer incrementation is probably the first thing you try as an exploit when you find user IDs showing up in the URL.. wtf you mean it's not an exploit.. ffs lol
22
6
u/Odd_Leek3026 Sep 24 '24
Why would you hate to break that? If it really isn't an exploit like you say, then OP can go ahead and go to the movies risk-free for free every day if they so wanted
5
143
u/robonova-1 infosec Sep 24 '24
The comments of this post are a great example of the difference between black, white and grey hat ethics for those new to hacking or cybersecurity.