* gwcfd v2? @ 2023-11-20 22:08 Alviro Iskandar Setiawan 2023-11-20 22:21 ` Ammar Faizi 2023-11-20 23:37 ` Louvian Lyndal 0 siblings, 2 replies; 15+ messages in thread From: Alviro Iskandar Setiawan @ 2023-11-20 22:08 UTC (permalink / raw) To: GNU/Weeb Mailing List, GNU/Weeb Facebook Team Cc: Ammar Faizi, Michael William Jonathan, Louvian Lyndal following this post up: https://www.facebook.com/groups/gnuweeb/posts/906959301003331 There's a rumor that the current CF ticketing system is vulnerable ( https://ticket2u.id ). Will the GNU/Weeb security team assess it? It's a good time to warm up our security skills. Targeting small businesses is always easier than big companies like Google, Facebook, etc. tq -- Viro ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-20 22:08 gwcfd v2? Alviro Iskandar Setiawan @ 2023-11-20 22:21 ` Ammar Faizi 2023-11-20 23:37 ` Louvian Lyndal 1 sibling, 0 replies; 15+ messages in thread From: Ammar Faizi @ 2023-11-20 22:21 UTC (permalink / raw) To: Alviro Iskandar Setiawan Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Michael William Jonathan, Louvian Lyndal On Tue, Nov 21, 2023 at 05:08:25AM +0700, Alviro Iskandar Setiawan wrote: > following this post up: > https://www.facebook.com/groups/gnuweeb/posts/906959301003331 > > There's a rumor that the current CF ticketing system is vulnerable ( > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > It's a good time to warm up our security skills. Targeting small > businesses is always easier than big companies like Google, Facebook, > etc. Let's give it a whirl! -- Ammar Faizi ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-20 22:08 gwcfd v2? Alviro Iskandar Setiawan 2023-11-20 22:21 ` Ammar Faizi @ 2023-11-20 23:37 ` Louvian Lyndal 2023-11-20 23:46 ` Louvian Lyndal 1 sibling, 1 reply; 15+ messages in thread From: Louvian Lyndal @ 2023-11-20 23:37 UTC (permalink / raw) To: Alviro Iskandar Setiawan Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > There's a rumor that the current CF ticketing system is vulnerable ( > https://ticket2u.id ). Will the GNU/Weeb security team assess it? I'll give you some samples so you can be sure it's real. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-20 23:37 ` Louvian Lyndal @ 2023-11-20 23:46 ` Louvian Lyndal 2023-11-21 3:23 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 15+ messages in thread From: Louvian Lyndal @ 2023-11-20 23:46 UTC (permalink / raw) To: Alviro Iskandar Setiawan Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > There's a rumor that the current CF ticketing system is vulnerable ( > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > I'll give you some samples so you can be sure it's real. Here you go: http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ It contains many events, not only CF. Your job is to create an OCR program to classify those tickets (group by event). And extract user identities. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-20 23:46 ` Louvian Lyndal @ 2023-11-21 3:23 ` Alviro Iskandar Setiawan 2023-11-21 3:42 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 15+ messages in thread From: Alviro Iskandar Setiawan @ 2023-11-21 3:23 UTC (permalink / raw) To: Louvian Lyndal Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > I'll give you some samples so you can be sure it's real. > > Here you go: > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > It contains many events, not only CF. Your job is to create an OCR > program to classify those tickets (group by event). And extract user > identities. Ack, that's real. -- Viro ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 3:23 ` Alviro Iskandar Setiawan @ 2023-11-21 3:42 ` Alviro Iskandar Setiawan 2023-11-21 3:52 ` Louvian Lyndal 0 siblings, 1 reply; 15+ messages in thread From: Alviro Iskandar Setiawan @ 2023-11-21 3:42 UTC (permalink / raw) To: Louvian Lyndal Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > I'll give you some samples so you can be sure it's real. > > > > Here you go: > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > It contains many events, not only CF. Your job is to create an OCR > > program to classify those tickets (group by event). And extract user > > identities. > > Ack, that's real. BTW, it's tiring to filter those out as I have not been able to identify them programmatically. So far I couldn't find any CF tickets, could you please send a valid CF sample? Not expired tickets. tq -- Viro ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 3:42 ` Alviro Iskandar Setiawan @ 2023-11-21 3:52 ` Louvian Lyndal 2023-11-21 3:58 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 15+ messages in thread From: Louvian Lyndal @ 2023-11-21 3:52 UTC (permalink / raw) To: Alviro Iskandar Setiawan Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > Here you go: > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > program to classify those tickets (group by event). And extract user > > > identities. > > > > Ack, that's real. > > BTW, it's tiring to filter those out as I have not been able to > identify them programmatically. So far I couldn't find any CF tickets, Neither have I. > could you please send a valid CF sample? Not expired tickets. I found one: https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf Don't have time to dig through all of that. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 3:52 ` Louvian Lyndal @ 2023-11-21 3:58 ` Alviro Iskandar Setiawan 2023-11-21 4:06 ` Louvian Lyndal 0 siblings, 1 reply; 15+ messages in thread From: Alviro Iskandar Setiawan @ 2023-11-21 3:58 UTC (permalink / raw) To: Louvian Lyndal Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote: > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > > > Here you go: > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > > program to classify those tickets (group by event). And extract user > > > > identities. > > > > > > Ack, that's real. > > > > BTW, it's tiring to filter those out as I have not been able to > > identify them programmatically. So far I couldn't find any CF tickets, > > Neither have I. > > > could you please send a valid CF sample? Not expired tickets. > > I found one: > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf your claim is real tq tq, will give more effort on creating a program that helps this research -- Viro ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 3:58 ` Alviro Iskandar Setiawan @ 2023-11-21 4:06 ` Louvian Lyndal 2023-11-21 4:24 ` Alviro Iskandar Setiawan 0 siblings, 1 reply; 15+ messages in thread From: Louvian Lyndal @ 2023-11-21 4:06 UTC (permalink / raw) To: Alviro Iskandar Setiawan Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote: > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote: > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > > > > > Here you go: > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > > > program to classify those tickets (group by event). And extract user > > > > > identities. > > > > > > > > Ack, that's real. > > > > > > BTW, it's tiring to filter those out as I have not been able to > > > identify them programmatically. So far I couldn't find any CF tickets, > > > > Neither have I. > > > > > could you please send a valid CF sample? Not expired tickets. > > > > I found one: > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf > > your claim is real > > tq tq, will give more effort on creating a program that helps this research Note that you cannot report this to Comifuro admins until you manage to create a filter to collect only CF tickets. After that, you must be able to extract user private information from the ticket to make the severity higher. Once everything is settled up, I will give you all of the dumps I collected (I'm still collecting newly generated tickets now). ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 4:06 ` Louvian Lyndal @ 2023-11-21 4:24 ` Alviro Iskandar Setiawan 2023-11-21 13:44 ` Louvian Lyndal 0 siblings, 1 reply; 15+ messages in thread From: Alviro Iskandar Setiawan @ 2023-11-21 4:24 UTC (permalink / raw) To: Louvian Lyndal Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote: > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote: > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote: > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > > > > > > > Here you go: > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > > > > program to classify those tickets (group by event). And extract user > > > > > > identities. > > > > > > > > > > Ack, that's real. > > > > > > > > BTW, it's tiring to filter those out as I have not been able to > > > > identify them programmatically. So far I couldn't find any CF tickets, > > > > > > Neither have I. > > > > > > > could you please send a valid CF sample? Not expired tickets. > > > > > > I found one: > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf > > > > your claim is real > > > > tq tq, will give more effort on creating a program that helps this research > > Note that you cannot report this to Comifuro admins until you manage > to create a filter to collect only CF tickets. After that, you must be > able to extract user private information from the ticket to make the > severity higher. Once everything is settled up, I will give you all of > the dumps I collected (I'm still collecting newly generated tickets > now). gud deal, oracle hacker -- Viro ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 4:24 ` Alviro Iskandar Setiawan @ 2023-11-21 13:44 ` Louvian Lyndal 2023-11-21 14:03 ` Ammar Faizi 0 siblings, 1 reply; 15+ messages in thread From: Louvian Lyndal @ 2023-11-21 13:44 UTC (permalink / raw) To: Alviro Iskandar Setiawan Cc: GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Ammar Faizi, Michael William Jonathan On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote: > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote: > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote: > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote: > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > > > > > > > > > Here you go: > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > > > > > program to classify those tickets (group by event). And extract user > > > > > > > identities. > > > > > > > > > > > > Ack, that's real. > > > > > > > > > > BTW, it's tiring to filter those out as I have not been able to > > > > > identify them programmatically. So far I couldn't find any CF tickets, > > > > > > > > Neither have I. > > > > > > > > > could you please send a valid CF sample? Not expired tickets. > > > > > > > > I found one: > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf > > > > > > your claim is real > > > > > > tq tq, will give more effort on creating a program that helps this research > > > > Note that you cannot report this to Comifuro admins until you manage > > to create a filter to collect only CF tickets. After that, you must be > > able to extract user private information from the ticket to make the > > severity higher. Once everything is settled up, I will give you all of > > the dumps I collected (I'm still collecting newly generated tickets > > now). > > gud deal, oracle hacker We're late, the vulnerable endpoint has officially retired, closing its doors to negotiations. We're at a standstill unless a new vulnerability decides to grace us with its presence. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 13:44 ` Louvian Lyndal @ 2023-11-21 14:03 ` Ammar Faizi 2023-11-21 14:13 ` Louvian Lyndal 0 siblings, 1 reply; 15+ messages in thread From: Ammar Faizi @ 2023-11-21 14:03 UTC (permalink / raw) To: Louvian Lyndal Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Michael William Jonathan On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote: > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote: > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote: > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote: > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote: > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > > > > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > > > > > > > > > > > Here you go: > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > > > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > > > > > > program to classify those tickets (group by event). And extract user > > > > > > > > identities. > > > > > > > > > > > > > > Ack, that's real. > > > > > > > > > > > > BTW, it's tiring to filter those out as I have not been able to > > > > > > identify them programmatically. So far I couldn't find any CF tickets, > > > > > > > > > > Neither have I. > > > > > > > > > > > could you please send a valid CF sample? Not expired tickets. > > > > > > > > > > I found one: > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf > > > > > > > > your claim is real > > > > > > > > tq tq, will give more effort on creating a program that helps this research > > > > > > Note that you cannot report this to Comifuro admins until you manage > > > to create a filter to collect only CF tickets. After that, you must be > > > able to extract user private information from the ticket to make the > > > severity higher. Once everything is settled up, I will give you all of > > > the dumps I collected (I'm still collecting newly generated tickets > > > now). > > > > gud deal, oracle hacker > > We're late, the vulnerable endpoint has officially retired, closing > its doors to negotiations. We're at a standstill unless a new > vulnerability decides to grace us with its presence. Uh oh, that was fast. I love how the ticket2u team reacted quickly. Deploying a fix immediately like what ticket2u did is a good job. Kudos for ticket2u team. Did you know? It was not the case with Kiostix who took holiday as an excuse. Their fix was also horrible and not professional. Extra Kiostix non-sense story bonus: When I and Michael W. met them face-to-face at the venue, they said they could detect a fraud using their feeling (they used such a non-sense sentence as an excuse not to revoke the already leaked tickets). -- Ammar Faizi ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 14:03 ` Ammar Faizi @ 2023-11-21 14:13 ` Louvian Lyndal 2023-11-21 14:27 ` Ammar Faizi 2023-11-21 14:39 ` Alviro Iskandar Setiawan 0 siblings, 2 replies; 15+ messages in thread From: Louvian Lyndal @ 2023-11-21 14:13 UTC (permalink / raw) To: Ammar Faizi Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Michael William Jonathan On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote: > On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote: > > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote: > > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote: > > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote: > > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote: > > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > > > > > > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > > > > > > > > > > > > > Here you go: > > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > > > > > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > > > > > > > program to classify those tickets (group by event). And extract user > > > > > > > > > identities. > > > > > > > > > > > > > > > > Ack, that's real. > > > > > > > > > > > > > > BTW, it's tiring to filter those out as I have not been able to > > > > > > > identify them programmatically. So far I couldn't find any CF tickets, > > > > > > > > > > > > Neither have I. > > > > > > > > > > > > > could you please send a valid CF sample? Not expired tickets. > > > > > > > > > > > > I found one: > > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf > > > > > > > > > > your claim is real > > > > > > > > > > tq tq, will give more effort on creating a program that helps this research > > > > > > > > Note that you cannot report this to Comifuro admins until you manage > > > > to create a filter to collect only CF tickets. After that, you must be > > > > able to extract user private information from the ticket to make the > > > > severity higher. Once everything is settled up, I will give you all of > > > > the dumps I collected (I'm still collecting newly generated tickets > > > > now). > > > > > > gud deal, oracle hacker > > > > We're late, the vulnerable endpoint has officially retired, closing > > its doors to negotiations. We're at a standstill unless a new > > vulnerability decides to grace us with its presence. > > Uh oh, that was fast. I love how the ticket2u team reacted quickly. > Deploying a fix immediately like what ticket2u did is a good job. Kudos > for ticket2u team. > > Did you know? It was not the case with Kiostix who took holiday as an > excuse. Their fix was also horrible and not professional. > > Extra Kiostix non-sense story bonus: > When I and Michael W. met them face-to-face at the venue, they said they > could detect a fraud using their feeling (they used such a non-sense > sentence as an excuse not to revoke the already leaked tickets). How much bug bounty did you get? ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 14:13 ` Louvian Lyndal @ 2023-11-21 14:27 ` Ammar Faizi 2023-11-21 14:39 ` Alviro Iskandar Setiawan 1 sibling, 0 replies; 15+ messages in thread From: Ammar Faizi @ 2023-11-21 14:27 UTC (permalink / raw) To: Louvian Lyndal Cc: Alviro Iskandar Setiawan, GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Michael William Jonathan On Tue, Nov 21, 2023 at 09:13:49PM +0700, Louvian Lyndal wrote: > On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote: > > On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote: > > > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote: > > > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote: > > > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote: > > > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote: > > > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote: > > > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote: > > > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote: > > > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote: > > > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote: > > > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable ( > > > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it? > > > > > > > > > > > > > > > > > > > > > > I'll give you some samples so you can be sure it's real. > > > > > > > > > > > > > > > > > > > > Here you go: > > > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/ > > > > > > > > > > > > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR > > > > > > > > > > program to classify those tickets (group by event). And extract user > > > > > > > > > > identities. > > > > > > > > > > > > > > > > > > Ack, that's real. > > > > > > > > > > > > > > > > BTW, it's tiring to filter those out as I have not been able to > > > > > > > > identify them programmatically. So far I couldn't find any CF tickets, > > > > > > > > > > > > > > Neither have I. > > > > > > > > > > > > > > > could you please send a valid CF sample? Not expired tickets. > > > > > > > > > > > > > > I found one: > > > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf > > > > > > > > > > > > your claim is real > > > > > > > > > > > > tq tq, will give more effort on creating a program that helps this research > > > > > > > > > > Note that you cannot report this to Comifuro admins until you manage > > > > > to create a filter to collect only CF tickets. After that, you must be > > > > > able to extract user private information from the ticket to make the > > > > > severity higher. Once everything is settled up, I will give you all of > > > > > the dumps I collected (I'm still collecting newly generated tickets > > > > > now). > > > > > > > > gud deal, oracle hacker > > > > > > We're late, the vulnerable endpoint has officially retired, closing > > > its doors to negotiations. We're at a standstill unless a new > > > vulnerability decides to grace us with its presence. > > > > Uh oh, that was fast. I love how the ticket2u team reacted quickly. > > Deploying a fix immediately like what ticket2u did is a good job. Kudos > > for ticket2u team. > > > > Did you know? It was not the case with Kiostix who took holiday as an > > excuse. Their fix was also horrible and not professional. > > > > Extra Kiostix non-sense story bonus: > > When I and Michael W. met them face-to-face at the venue, they said they > > could detect a fraud using their feeling (they used such a non-sense > > sentence as an excuse not to revoke the already leaked tickets). > > How much bug bounty did you get? I didn't get any bug bounty, but they bought us food and drink at the venue. Apart from that, Michael W. and Alviro were given a certificate. It's a paper that says they've contributed to the Kiostix system by reporting a bug. -- Ammar Faizi ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: gwcfd v2? 2023-11-21 14:13 ` Louvian Lyndal 2023-11-21 14:27 ` Ammar Faizi @ 2023-11-21 14:39 ` Alviro Iskandar Setiawan 1 sibling, 0 replies; 15+ messages in thread From: Alviro Iskandar Setiawan @ 2023-11-21 14:39 UTC (permalink / raw) To: Louvian Lyndal Cc: Ammar Faizi, GNU/Weeb Mailing List, GNU/Weeb Facebook Team, Michael William Jonathan On Tue, Nov 21, 2023 at 9:14 PM Louvian Lyndal wrote: > How much bug bounty did you get? I got a piece of paper. -- Viro ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2023-11-21 14:39 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-11-20 22:08 gwcfd v2? Alviro Iskandar Setiawan 2023-11-20 22:21 ` Ammar Faizi 2023-11-20 23:37 ` Louvian Lyndal 2023-11-20 23:46 ` Louvian Lyndal 2023-11-21 3:23 ` Alviro Iskandar Setiawan 2023-11-21 3:42 ` Alviro Iskandar Setiawan 2023-11-21 3:52 ` Louvian Lyndal 2023-11-21 3:58 ` Alviro Iskandar Setiawan 2023-11-21 4:06 ` Louvian Lyndal 2023-11-21 4:24 ` Alviro Iskandar Setiawan 2023-11-21 13:44 ` Louvian Lyndal 2023-11-21 14:03 ` Ammar Faizi 2023-11-21 14:13 ` Louvian Lyndal 2023-11-21 14:27 ` Ammar Faizi 2023-11-21 14:39 ` Alviro Iskandar Setiawan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox