From: Louvian Lyndal <[email protected]>
To: Ammar Faizi <[email protected]>
Cc: Alviro Iskandar Setiawan <[email protected]>,
"GNU/Weeb Mailing List" <[email protected]>,
"GNU/Weeb Facebook Team" <[email protected]>,
Michael William Jonathan <[email protected]>
Subject: Re: gwcfd v2?
Date: Tue, 21 Nov 2023 21:13:49 +0700 [thread overview]
Message-ID: <CAP2ubgL9_ZNjacFYzkQudL-6gtNpq7FiuRfw7XOYkCscCiYspQ@mail.gmail.com> (raw)
In-Reply-To: <ZVy4y9LoFXg/[email protected]>
On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote:
> On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > > >
> > > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > > >
> > > > > > > > > Here you go:
> > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > > >
> > > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > > identities.
> > > > > > > >
> > > > > > > > Ack, that's real.
> > > > > > >
> > > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > > >
> > > > > > Neither have I.
> > > > > >
> > > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > > >
> > > > > > I found one:
> > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > > >
> > > > > your claim is real
> > > > >
> > > > > tq tq, will give more effort on creating a program that helps this research
> > > >
> > > > Note that you cannot report this to Comifuro admins until you manage
> > > > to create a filter to collect only CF tickets. After that, you must be
> > > > able to extract user private information from the ticket to make the
> > > > severity higher. Once everything is settled up, I will give you all of
> > > > the dumps I collected (I'm still collecting newly generated tickets
> > > > now).
> > >
> > > gud deal, oracle hacker
> >
> > We're late, the vulnerable endpoint has officially retired, closing
> > its doors to negotiations. We're at a standstill unless a new
> > vulnerability decides to grace us with its presence.
>
> Uh oh, that was fast. I love how the ticket2u team reacted quickly.
> Deploying a fix immediately like what ticket2u did is a good job. Kudos
> for ticket2u team.
>
> Did you know? It was not the case with Kiostix who took holiday as an
> excuse. Their fix was also horrible and not professional.
>
> Extra Kiostix non-sense story bonus:
> When I and Michael W. met them face-to-face at the venue, they said they
> could detect a fraud using their feeling (they used such a non-sense
> sentence as an excuse not to revoke the already leaked tickets).
How much bug bounty did you get?
next prev parent reply other threads:[~2023-11-21 14:14 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-20 22:08 gwcfd v2? Alviro Iskandar Setiawan
2023-11-20 22:21 ` Ammar Faizi
2023-11-20 23:37 ` Louvian Lyndal
2023-11-20 23:46 ` Louvian Lyndal
2023-11-21 3:23 ` Alviro Iskandar Setiawan
2023-11-21 3:42 ` Alviro Iskandar Setiawan
2023-11-21 3:52 ` Louvian Lyndal
2023-11-21 3:58 ` Alviro Iskandar Setiawan
2023-11-21 4:06 ` Louvian Lyndal
2023-11-21 4:24 ` Alviro Iskandar Setiawan
2023-11-21 13:44 ` Louvian Lyndal
2023-11-21 14:03 ` Ammar Faizi
2023-11-21 14:13 ` Louvian Lyndal [this message]
2023-11-21 14:27 ` Ammar Faizi
2023-11-21 14:39 ` Alviro Iskandar Setiawan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAP2ubgL9_ZNjacFYzkQudL-6gtNpq7FiuRfw7XOYkCscCiYspQ@mail.gmail.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox