* gwcfd v2?
@ 2023-11-20 22:08 Alviro Iskandar Setiawan
2023-11-20 22:21 ` Ammar Faizi
2023-11-20 23:37 ` Louvian Lyndal
0 siblings, 2 replies; 15+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-11-20 22:08 UTC (permalink / raw)
To: GNU/Weeb Mailing List, GNU/Weeb Facebook Team
Cc: Ammar Faizi, Michael William Jonathan, Louvian Lyndal
following this post up:
https://www.facebook.com/groups/gnuweeb/posts/906959301003331
There's a rumor that the current CF ticketing system is vulnerable (
https://ticket2u.id ). Will the GNU/Weeb security team assess it?
It's a good time to warm up our security skills. Targeting small
businesses is always easier than big companies like Google, Facebook,
etc.
tq
-- Viro
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-20 22:08 gwcfd v2? Alviro Iskandar Setiawan
@ 2023-11-20 22:21 ` Ammar Faizi
2023-11-20 23:37 ` Louvian Lyndal
1 sibling, 0 replies; 15+ messages in thread
From: Ammar Faizi @ 2023-11-20 22:21 UTC (permalink / raw)
To: Alviro Iskandar Setiawan
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team,
Michael William Jonathan, Louvian Lyndal
On Tue, Nov 21, 2023 at 05:08:25AM +0700, Alviro Iskandar Setiawan wrote:
> following this post up:
> https://www.facebook.com/groups/gnuweeb/posts/906959301003331
>
> There's a rumor that the current CF ticketing system is vulnerable (
> https://ticket2u.id ). Will the GNU/Weeb security team assess it?
>
> It's a good time to warm up our security skills. Targeting small
> businesses is always easier than big companies like Google, Facebook,
> etc.
Let's give it a whirl!
--
Ammar Faizi
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-20 22:08 gwcfd v2? Alviro Iskandar Setiawan
2023-11-20 22:21 ` Ammar Faizi
@ 2023-11-20 23:37 ` Louvian Lyndal
2023-11-20 23:46 ` Louvian Lyndal
1 sibling, 1 reply; 15+ messages in thread
From: Louvian Lyndal @ 2023-11-20 23:37 UTC (permalink / raw)
To: Alviro Iskandar Setiawan
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> There's a rumor that the current CF ticketing system is vulnerable (
> https://ticket2u.id ). Will the GNU/Weeb security team assess it?
I'll give you some samples so you can be sure it's real.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-20 23:37 ` Louvian Lyndal
@ 2023-11-20 23:46 ` Louvian Lyndal
2023-11-21 3:23 ` Alviro Iskandar Setiawan
0 siblings, 1 reply; 15+ messages in thread
From: Louvian Lyndal @ 2023-11-20 23:46 UTC (permalink / raw)
To: Alviro Iskandar Setiawan
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > There's a rumor that the current CF ticketing system is vulnerable (
> > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
>
> I'll give you some samples so you can be sure it's real.
Here you go:
http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
It contains many events, not only CF. Your job is to create an OCR
program to classify those tickets (group by event). And extract user
identities.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-20 23:46 ` Louvian Lyndal
@ 2023-11-21 3:23 ` Alviro Iskandar Setiawan
2023-11-21 3:42 ` Alviro Iskandar Setiawan
0 siblings, 1 reply; 15+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-11-21 3:23 UTC (permalink / raw)
To: Louvian Lyndal
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > There's a rumor that the current CF ticketing system is vulnerable (
> > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> >
> > I'll give you some samples so you can be sure it's real.
>
> Here you go:
> http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
>
> It contains many events, not only CF. Your job is to create an OCR
> program to classify those tickets (group by event). And extract user
> identities.
Ack, that's real.
-- Viro
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 3:23 ` Alviro Iskandar Setiawan
@ 2023-11-21 3:42 ` Alviro Iskandar Setiawan
2023-11-21 3:52 ` Louvian Lyndal
0 siblings, 1 reply; 15+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-11-21 3:42 UTC (permalink / raw)
To: Louvian Lyndal
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > >
> > > I'll give you some samples so you can be sure it's real.
> >
> > Here you go:
> > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> >
> > It contains many events, not only CF. Your job is to create an OCR
> > program to classify those tickets (group by event). And extract user
> > identities.
>
> Ack, that's real.
BTW, it's tiring to filter those out as I have not been able to
identify them programmatically. So far I couldn't find any CF tickets,
could you please send a valid CF sample? Not expired tickets.
tq
-- Viro
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 3:42 ` Alviro Iskandar Setiawan
@ 2023-11-21 3:52 ` Louvian Lyndal
2023-11-21 3:58 ` Alviro Iskandar Setiawan
0 siblings, 1 reply; 15+ messages in thread
From: Louvian Lyndal @ 2023-11-21 3:52 UTC (permalink / raw)
To: Alviro Iskandar Setiawan
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > >
> > > > I'll give you some samples so you can be sure it's real.
> > >
> > > Here you go:
> > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > >
> > > It contains many events, not only CF. Your job is to create an OCR
> > > program to classify those tickets (group by event). And extract user
> > > identities.
> >
> > Ack, that's real.
>
> BTW, it's tiring to filter those out as I have not been able to
> identify them programmatically. So far I couldn't find any CF tickets,
Neither have I.
> could you please send a valid CF sample? Not expired tickets.
I found one:
https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
Don't have time to dig through all of that.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 3:52 ` Louvian Lyndal
@ 2023-11-21 3:58 ` Alviro Iskandar Setiawan
2023-11-21 4:06 ` Louvian Lyndal
0 siblings, 1 reply; 15+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-11-21 3:58 UTC (permalink / raw)
To: Louvian Lyndal
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > >
> > > > > I'll give you some samples so you can be sure it's real.
> > > >
> > > > Here you go:
> > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > >
> > > > It contains many events, not only CF. Your job is to create an OCR
> > > > program to classify those tickets (group by event). And extract user
> > > > identities.
> > >
> > > Ack, that's real.
> >
> > BTW, it's tiring to filter those out as I have not been able to
> > identify them programmatically. So far I couldn't find any CF tickets,
>
> Neither have I.
>
> > could you please send a valid CF sample? Not expired tickets.
>
> I found one:
> https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
your claim is real
tq tq, will give more effort on creating a program that helps this research
-- Viro
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 3:58 ` Alviro Iskandar Setiawan
@ 2023-11-21 4:06 ` Louvian Lyndal
2023-11-21 4:24 ` Alviro Iskandar Setiawan
0 siblings, 1 reply; 15+ messages in thread
From: Louvian Lyndal @ 2023-11-21 4:06 UTC (permalink / raw)
To: Alviro Iskandar Setiawan
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > >
> > > > > > I'll give you some samples so you can be sure it's real.
> > > > >
> > > > > Here you go:
> > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > >
> > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > program to classify those tickets (group by event). And extract user
> > > > > identities.
> > > >
> > > > Ack, that's real.
> > >
> > > BTW, it's tiring to filter those out as I have not been able to
> > > identify them programmatically. So far I couldn't find any CF tickets,
> >
> > Neither have I.
> >
> > > could you please send a valid CF sample? Not expired tickets.
> >
> > I found one:
> > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
>
> your claim is real
>
> tq tq, will give more effort on creating a program that helps this research
Note that you cannot report this to Comifuro admins until you manage
to create a filter to collect only CF tickets. After that, you must be
able to extract user private information from the ticket to make the
severity higher. Once everything is settled up, I will give you all of
the dumps I collected (I'm still collecting newly generated tickets
now).
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 4:06 ` Louvian Lyndal
@ 2023-11-21 4:24 ` Alviro Iskandar Setiawan
2023-11-21 13:44 ` Louvian Lyndal
0 siblings, 1 reply; 15+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-11-21 4:24 UTC (permalink / raw)
To: Louvian Lyndal
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > >
> > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > >
> > > > > > Here you go:
> > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > >
> > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > program to classify those tickets (group by event). And extract user
> > > > > > identities.
> > > > >
> > > > > Ack, that's real.
> > > >
> > > > BTW, it's tiring to filter those out as I have not been able to
> > > > identify them programmatically. So far I couldn't find any CF tickets,
> > >
> > > Neither have I.
> > >
> > > > could you please send a valid CF sample? Not expired tickets.
> > >
> > > I found one:
> > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> >
> > your claim is real
> >
> > tq tq, will give more effort on creating a program that helps this research
>
> Note that you cannot report this to Comifuro admins until you manage
> to create a filter to collect only CF tickets. After that, you must be
> able to extract user private information from the ticket to make the
> severity higher. Once everything is settled up, I will give you all of
> the dumps I collected (I'm still collecting newly generated tickets
> now).
gud deal, oracle hacker
-- Viro
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 4:24 ` Alviro Iskandar Setiawan
@ 2023-11-21 13:44 ` Louvian Lyndal
2023-11-21 14:03 ` Ammar Faizi
0 siblings, 1 reply; 15+ messages in thread
From: Louvian Lyndal @ 2023-11-21 13:44 UTC (permalink / raw)
To: Alviro Iskandar Setiawan
Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi,
Michael William Jonathan
On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > >
> > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > >
> > > > > > > Here you go:
> > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > >
> > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > identities.
> > > > > >
> > > > > > Ack, that's real.
> > > > >
> > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > >
> > > > Neither have I.
> > > >
> > > > > could you please send a valid CF sample? Not expired tickets.
> > > >
> > > > I found one:
> > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > >
> > > your claim is real
> > >
> > > tq tq, will give more effort on creating a program that helps this research
> >
> > Note that you cannot report this to Comifuro admins until you manage
> > to create a filter to collect only CF tickets. After that, you must be
> > able to extract user private information from the ticket to make the
> > severity higher. Once everything is settled up, I will give you all of
> > the dumps I collected (I'm still collecting newly generated tickets
> > now).
>
> gud deal, oracle hacker
We're late, the vulnerable endpoint has officially retired, closing
its doors to negotiations. We're at a standstill unless a new
vulnerability decides to grace us with its presence.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 13:44 ` Louvian Lyndal
@ 2023-11-21 14:03 ` Ammar Faizi
2023-11-21 14:13 ` Louvian Lyndal
0 siblings, 1 reply; 15+ messages in thread
From: Ammar Faizi @ 2023-11-21 14:03 UTC (permalink / raw)
To: Louvian Lyndal
Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List,
GNU/Weeb Facebook Team, Michael William Jonathan
On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > >
> > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > >
> > > > > > > > Here you go:
> > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > >
> > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > identities.
> > > > > > >
> > > > > > > Ack, that's real.
> > > > > >
> > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > >
> > > > > Neither have I.
> > > > >
> > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > >
> > > > > I found one:
> > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > >
> > > > your claim is real
> > > >
> > > > tq tq, will give more effort on creating a program that helps this research
> > >
> > > Note that you cannot report this to Comifuro admins until you manage
> > > to create a filter to collect only CF tickets. After that, you must be
> > > able to extract user private information from the ticket to make the
> > > severity higher. Once everything is settled up, I will give you all of
> > > the dumps I collected (I'm still collecting newly generated tickets
> > > now).
> >
> > gud deal, oracle hacker
>
> We're late, the vulnerable endpoint has officially retired, closing
> its doors to negotiations. We're at a standstill unless a new
> vulnerability decides to grace us with its presence.
Uh oh, that was fast. I love how the ticket2u team reacted quickly.
Deploying a fix immediately like what ticket2u did is a good job. Kudos
for ticket2u team.
Did you know? It was not the case with Kiostix who took holiday as an
excuse. Their fix was also horrible and not professional.
Extra Kiostix non-sense story bonus:
When I and Michael W. met them face-to-face at the venue, they said they
could detect a fraud using their feeling (they used such a non-sense
sentence as an excuse not to revoke the already leaked tickets).
--
Ammar Faizi
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 14:03 ` Ammar Faizi
@ 2023-11-21 14:13 ` Louvian Lyndal
2023-11-21 14:27 ` Ammar Faizi
2023-11-21 14:39 ` Alviro Iskandar Setiawan
0 siblings, 2 replies; 15+ messages in thread
From: Louvian Lyndal @ 2023-11-21 14:13 UTC (permalink / raw)
To: Ammar Faizi
Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List,
GNU/Weeb Facebook Team, Michael William Jonathan
On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote:
> On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > > >
> > > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > > >
> > > > > > > > > Here you go:
> > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > > >
> > > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > > identities.
> > > > > > > >
> > > > > > > > Ack, that's real.
> > > > > > >
> > > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > > >
> > > > > > Neither have I.
> > > > > >
> > > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > > >
> > > > > > I found one:
> > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > > >
> > > > > your claim is real
> > > > >
> > > > > tq tq, will give more effort on creating a program that helps this research
> > > >
> > > > Note that you cannot report this to Comifuro admins until you manage
> > > > to create a filter to collect only CF tickets. After that, you must be
> > > > able to extract user private information from the ticket to make the
> > > > severity higher. Once everything is settled up, I will give you all of
> > > > the dumps I collected (I'm still collecting newly generated tickets
> > > > now).
> > >
> > > gud deal, oracle hacker
> >
> > We're late, the vulnerable endpoint has officially retired, closing
> > its doors to negotiations. We're at a standstill unless a new
> > vulnerability decides to grace us with its presence.
>
> Uh oh, that was fast. I love how the ticket2u team reacted quickly.
> Deploying a fix immediately like what ticket2u did is a good job. Kudos
> for ticket2u team.
>
> Did you know? It was not the case with Kiostix who took holiday as an
> excuse. Their fix was also horrible and not professional.
>
> Extra Kiostix non-sense story bonus:
> When I and Michael W. met them face-to-face at the venue, they said they
> could detect a fraud using their feeling (they used such a non-sense
> sentence as an excuse not to revoke the already leaked tickets).
How much bug bounty did you get?
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 14:13 ` Louvian Lyndal
@ 2023-11-21 14:27 ` Ammar Faizi
2023-11-21 14:39 ` Alviro Iskandar Setiawan
1 sibling, 0 replies; 15+ messages in thread
From: Ammar Faizi @ 2023-11-21 14:27 UTC (permalink / raw)
To: Louvian Lyndal
Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List,
GNU/Weeb Facebook Team, Michael William Jonathan
On Tue, Nov 21, 2023 at 09:13:49PM +0700, Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote:
> > On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > > > >
> > > > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > > > >
> > > > > > > > > > Here you go:
> > > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > > > >
> > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > > > identities.
> > > > > > > > >
> > > > > > > > > Ack, that's real.
> > > > > > > >
> > > > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > > > >
> > > > > > > Neither have I.
> > > > > > >
> > > > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > > > >
> > > > > > > I found one:
> > > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > > > >
> > > > > > your claim is real
> > > > > >
> > > > > > tq tq, will give more effort on creating a program that helps this research
> > > > >
> > > > > Note that you cannot report this to Comifuro admins until you manage
> > > > > to create a filter to collect only CF tickets. After that, you must be
> > > > > able to extract user private information from the ticket to make the
> > > > > severity higher. Once everything is settled up, I will give you all of
> > > > > the dumps I collected (I'm still collecting newly generated tickets
> > > > > now).
> > > >
> > > > gud deal, oracle hacker
> > >
> > > We're late, the vulnerable endpoint has officially retired, closing
> > > its doors to negotiations. We're at a standstill unless a new
> > > vulnerability decides to grace us with its presence.
> >
> > Uh oh, that was fast. I love how the ticket2u team reacted quickly.
> > Deploying a fix immediately like what ticket2u did is a good job. Kudos
> > for ticket2u team.
> >
> > Did you know? It was not the case with Kiostix who took holiday as an
> > excuse. Their fix was also horrible and not professional.
> >
> > Extra Kiostix non-sense story bonus:
> > When I and Michael W. met them face-to-face at the venue, they said they
> > could detect a fraud using their feeling (they used such a non-sense
> > sentence as an excuse not to revoke the already leaked tickets).
>
> How much bug bounty did you get?
I didn't get any bug bounty, but they bought us food and drink at the
venue. Apart from that, Michael W. and Alviro were given a certificate.
It's a paper that says they've contributed to the Kiostix system by
reporting a bug.
--
Ammar Faizi
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2?
2023-11-21 14:13 ` Louvian Lyndal
2023-11-21 14:27 ` Ammar Faizi
@ 2023-11-21 14:39 ` Alviro Iskandar Setiawan
1 sibling, 0 replies; 15+ messages in thread
From: Alviro Iskandar Setiawan @ 2023-11-21 14:39 UTC (permalink / raw)
To: Louvian Lyndal
Cc: Ammar Faizi, GNU/Weeb Mailing List, GNU/Weeb Facebook Team,
Michael William Jonathan
On Tue, Nov 21, 2023 at 9:14 PM Louvian Lyndal wrote:
> How much bug bounty did you get?
I got a piece of paper.
-- Viro
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2023-11-21 14:39 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-20 22:08 gwcfd v2? Alviro Iskandar Setiawan
2023-11-20 22:21 ` Ammar Faizi
2023-11-20 23:37 ` Louvian Lyndal
2023-11-20 23:46 ` Louvian Lyndal
2023-11-21 3:23 ` Alviro Iskandar Setiawan
2023-11-21 3:42 ` Alviro Iskandar Setiawan
2023-11-21 3:52 ` Louvian Lyndal
2023-11-21 3:58 ` Alviro Iskandar Setiawan
2023-11-21 4:06 ` Louvian Lyndal
2023-11-21 4:24 ` Alviro Iskandar Setiawan
2023-11-21 13:44 ` Louvian Lyndal
2023-11-21 14:03 ` Ammar Faizi
2023-11-21 14:13 ` Louvian Lyndal
2023-11-21 14:27 ` Ammar Faizi
2023-11-21 14:39 ` Alviro Iskandar Setiawan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox