gwcfd v2?

gwcfd v2?

[Alviro Iskandar Setiawan]

following this post up:
https://www.facebook.com/groups/gnuweeb/posts/906959301003331

There's a rumor that the current CF ticketing system is vulnerable (
https://ticket2u.id ). Will the GNU/Weeb security team assess it?

It's a good time to warm up our security skills. Targeting small
businesses is always easier than big companies like Google, Facebook,
etc.

tq

-- Viro

Re: gwcfd v2?

[Ammar Faizi]

On Tue, Nov 21, 2023 at 05:08:25AM +0700, Alviro Iskandar Setiawan wrote:
> following this post up:
> https://www.facebook.com/groups/gnuweeb/posts/906959301003331
> 
> There's a rumor that the current CF ticketing system is vulnerable (
> https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> 
> It's a good time to warm up our security skills. Targeting small
> businesses is always easier than big companies like Google, Facebook,
> etc.

Let's give it a whirl!

-- 
Ammar Faizi

Re: gwcfd v2?

[Louvian Lyndal]

On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> There's a rumor that the current CF ticketing system is vulnerable (
> https://ticket2u.id ). Will the GNU/Weeb security team assess it?

I'll give you some samples so you can be sure it's real.

Re: gwcfd v2?

[Louvian Lyndal]

On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > There's a rumor that the current CF ticketing system is vulnerable (
> > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
>
> I'll give you some samples so you can be sure it's real.

Here you go:
http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/

It contains many events, not only CF. Your job is to create an OCR
program to classify those tickets (group by event). And extract user
identities.

Re: gwcfd v2?

[Alviro Iskandar Setiawan]

On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > There's a rumor that the current CF ticketing system is vulnerable (
> > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> >
> > I'll give you some samples so you can be sure it's real.
>
> Here you go:
> http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
>
> It contains many events, not only CF. Your job is to create an OCR
> program to classify those tickets (group by event). And extract user
> identities.

Ack, that's real.

-- Viro

Re: gwcfd v2?

[Alviro Iskandar Setiawan]

On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > >
> > > I'll give you some samples so you can be sure it's real.
> >
> > Here you go:
> > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> >
> > It contains many events, not only CF. Your job is to create an OCR
> > program to classify those tickets (group by event). And extract user
> > identities.
>
> Ack, that's real.

BTW, it's tiring to filter those out as I have not been able to
identify them programmatically. So far I couldn't find any CF tickets,
could you please send a valid CF sample? Not expired tickets.

tq

-- Viro

Re: gwcfd v2?

[Louvian Lyndal]

On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > >
> > > > I'll give you some samples so you can be sure it's real.
> > >
> > > Here you go:
> > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > >
> > > It contains many events, not only CF. Your job is to create an OCR
> > > program to classify those tickets (group by event). And extract user
> > > identities.
> >
> > Ack, that's real.
>
> BTW, it's tiring to filter those out as I have not been able to
> identify them programmatically. So far I couldn't find any CF tickets,

Neither have I.

> could you please send a valid CF sample? Not expired tickets.

I found one:
https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf

Don't have time to dig through all of that.

Re: gwcfd v2?

[Alviro Iskandar Setiawan]

On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > >
> > > > > I'll give you some samples so you can be sure it's real.
> > > >
> > > > Here you go:
> > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > >
> > > > It contains many events, not only CF. Your job is to create an OCR
> > > > program to classify those tickets (group by event). And extract user
> > > > identities.
> > >
> > > Ack, that's real.
> >
> > BTW, it's tiring to filter those out as I have not been able to
> > identify them programmatically. So far I couldn't find any CF tickets,
>
> Neither have I.
>
> > could you please send a valid CF sample? Not expired tickets.
>
> I found one:
> https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf

your claim is real

tq tq, will give more effort on creating a program that helps this research

-- Viro

Re: gwcfd v2?

[Louvian Lyndal]

On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > >
> > > > > > I'll give you some samples so you can be sure it's real.
> > > > >
> > > > > Here you go:
> > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > >
> > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > program to classify those tickets (group by event). And extract user
> > > > > identities.
> > > >
> > > > Ack, that's real.
> > >
> > > BTW, it's tiring to filter those out as I have not been able to
> > > identify them programmatically. So far I couldn't find any CF tickets,
> >
> > Neither have I.
> >
> > > could you please send a valid CF sample? Not expired tickets.
> >
> > I found one:
> > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
>
> your claim is real
>
> tq tq, will give more effort on creating a program that helps this research

Note that you cannot report this to Comifuro admins until you manage
to create a filter to collect only CF tickets. After that, you must be
able to extract user private information from the ticket to make the
severity higher. Once everything is settled up, I will give you all of
the dumps I collected (I'm still collecting newly generated tickets
now).

Re: gwcfd v2?

[Alviro Iskandar Setiawan]

On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > >
> > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > >
> > > > > > Here you go:
> > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > >
> > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > program to classify those tickets (group by event). And extract user
> > > > > > identities.
> > > > >
> > > > > Ack, that's real.
> > > >
> > > > BTW, it's tiring to filter those out as I have not been able to
> > > > identify them programmatically. So far I couldn't find any CF tickets,
> > >
> > > Neither have I.
> > >
> > > > could you please send a valid CF sample? Not expired tickets.
> > >
> > > I found one:
> > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> >
> > your claim is real
> >
> > tq tq, will give more effort on creating a program that helps this research
>
> Note that you cannot report this to Comifuro admins until you manage
> to create a filter to collect only CF tickets. After that, you must be
> able to extract user private information from the ticket to make the
> severity higher. Once everything is settled up, I will give you all of
> the dumps I collected (I'm still collecting newly generated tickets
> now).

gud deal, oracle hacker

-- Viro

Re: gwcfd v2?

[Louvian Lyndal]

On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > >
> > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > >
> > > > > > > Here you go:
> > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > >
> > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > identities.
> > > > > >
> > > > > > Ack, that's real.
> > > > >
> > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > >
> > > > Neither have I.
> > > >
> > > > > could you please send a valid CF sample? Not expired tickets.
> > > >
> > > > I found one:
> > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > >
> > > your claim is real
> > >
> > > tq tq, will give more effort on creating a program that helps this research
> >
> > Note that you cannot report this to Comifuro admins until you manage
> > to create a filter to collect only CF tickets. After that, you must be
> > able to extract user private information from the ticket to make the
> > severity higher. Once everything is settled up, I will give you all of
> > the dumps I collected (I'm still collecting newly generated tickets
> > now).
>
> gud deal, oracle hacker

We're late, the vulnerable endpoint has officially retired, closing
its doors to negotiations. We're at a standstill unless a new
vulnerability decides to grace us with its presence.

Re: gwcfd v2?

[Ammar Faizi]

On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > >
> > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > >
> > > > > > > > Here you go:
> > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > >
> > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > identities.
> > > > > > >
> > > > > > > Ack, that's real.
> > > > > >
> > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > >
> > > > > Neither have I.
> > > > >
> > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > >
> > > > > I found one:
> > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > >
> > > > your claim is real
> > > >
> > > > tq tq, will give more effort on creating a program that helps this research
> > >
> > > Note that you cannot report this to Comifuro admins until you manage
> > > to create a filter to collect only CF tickets. After that, you must be
> > > able to extract user private information from the ticket to make the
> > > severity higher. Once everything is settled up, I will give you all of
> > > the dumps I collected (I'm still collecting newly generated tickets
> > > now).
> >
> > gud deal, oracle hacker
> 
> We're late, the vulnerable endpoint has officially retired, closing
> its doors to negotiations. We're at a standstill unless a new
> vulnerability decides to grace us with its presence.

Uh oh, that was fast. I love how the ticket2u team reacted quickly.
Deploying a fix immediately like what ticket2u did is a good job. Kudos
for ticket2u team.

Did you know? It was not the case with Kiostix who took holiday as an
excuse. Their fix was also horrible and not professional.

Extra Kiostix non-sense story bonus:
When I and Michael W. met them face-to-face at the venue, they said they
could detect a fraud using their feeling (they used such a non-sense
sentence as an excuse not to revoke the already leaked tickets).

-- 
Ammar Faizi

Re: gwcfd v2?

[Louvian Lyndal]

On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote:
> On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > > >
> > > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > > >
> > > > > > > > > Here you go:
> > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > > >
> > > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > > identities.
> > > > > > > >
> > > > > > > > Ack, that's real.
> > > > > > >
> > > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > > >
> > > > > > Neither have I.
> > > > > >
> > > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > > >
> > > > > > I found one:
> > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > > >
> > > > > your claim is real
> > > > >
> > > > > tq tq, will give more effort on creating a program that helps this research
> > > >
> > > > Note that you cannot report this to Comifuro admins until you manage
> > > > to create a filter to collect only CF tickets. After that, you must be
> > > > able to extract user private information from the ticket to make the
> > > > severity higher. Once everything is settled up, I will give you all of
> > > > the dumps I collected (I'm still collecting newly generated tickets
> > > > now).
> > >
> > > gud deal, oracle hacker
> >
> > We're late, the vulnerable endpoint has officially retired, closing
> > its doors to negotiations. We're at a standstill unless a new
> > vulnerability decides to grace us with its presence.
>
> Uh oh, that was fast. I love how the ticket2u team reacted quickly.
> Deploying a fix immediately like what ticket2u did is a good job. Kudos
> for ticket2u team.
>
> Did you know? It was not the case with Kiostix who took holiday as an
> excuse. Their fix was also horrible and not professional.
>
> Extra Kiostix non-sense story bonus:
> When I and Michael W. met them face-to-face at the venue, they said they
> could detect a fraud using their feeling (they used such a non-sense
> sentence as an excuse not to revoke the already leaked tickets).

How much bug bounty did you get?

Re: gwcfd v2?

[Ammar Faizi]

On Tue, Nov 21, 2023 at 09:13:49PM +0700, Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote:
> > On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > > > >
> > > > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > > > >
> > > > > > > > > > Here you go:
> > > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > > > >
> > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > > > identities.
> > > > > > > > >
> > > > > > > > > Ack, that's real.
> > > > > > > >
> > > > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > > > >
> > > > > > > Neither have I.
> > > > > > >
> > > > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > > > >
> > > > > > > I found one:
> > > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > > > >
> > > > > > your claim is real
> > > > > >
> > > > > > tq tq, will give more effort on creating a program that helps this research
> > > > >
> > > > > Note that you cannot report this to Comifuro admins until you manage
> > > > > to create a filter to collect only CF tickets. After that, you must be
> > > > > able to extract user private information from the ticket to make the
> > > > > severity higher. Once everything is settled up, I will give you all of
> > > > > the dumps I collected (I'm still collecting newly generated tickets
> > > > > now).
> > > >
> > > > gud deal, oracle hacker
> > >
> > > We're late, the vulnerable endpoint has officially retired, closing
> > > its doors to negotiations. We're at a standstill unless a new
> > > vulnerability decides to grace us with its presence.
> >
> > Uh oh, that was fast. I love how the ticket2u team reacted quickly.
> > Deploying a fix immediately like what ticket2u did is a good job. Kudos
> > for ticket2u team.
> >
> > Did you know? It was not the case with Kiostix who took holiday as an
> > excuse. Their fix was also horrible and not professional.
> >
> > Extra Kiostix non-sense story bonus:
> > When I and Michael W. met them face-to-face at the venue, they said they
> > could detect a fraud using their feeling (they used such a non-sense
> > sentence as an excuse not to revoke the already leaked tickets).
> 
> How much bug bounty did you get?

I didn't get any bug bounty, but they bought us food and drink at the
venue. Apart from that, Michael W. and Alviro were given a certificate.
It's a paper that says they've contributed to the Kiostix system by
reporting a bug.

-- 
Ammar Faizi

Re: gwcfd v2?

[Alviro Iskandar Setiawan]

On Tue, Nov 21, 2023 at 9:14 PM Louvian Lyndal wrote:
> How much bug bounty did you get?

I got a piece of paper.

-- Viro