Re: gwcfd v2?

[Ammar Faizi <ammarfaizi2@gnuweeb.org>]

On Tue, Nov 21, 2023 at 09:13:49PM +0700, Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 9:04 PM Ammar Faizi wrote:
> > On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > > > >
> > > > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > > > >
> > > > > > > > > > Here you go:
> > > > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > > > >
> > > > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > > > identities.
> > > > > > > > >
> > > > > > > > > Ack, that's real.
> > > > > > > >
> > > > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > > > >
> > > > > > > Neither have I.
> > > > > > >
> > > > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > > > >
> > > > > > > I found one:
> > > > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > > > >
> > > > > > your claim is real
> > > > > >
> > > > > > tq tq, will give more effort on creating a program that helps this research
> > > > >
> > > > > Note that you cannot report this to Comifuro admins until you manage
> > > > > to create a filter to collect only CF tickets. After that, you must be
> > > > > able to extract user private information from the ticket to make the
> > > > > severity higher. Once everything is settled up, I will give you all of
> > > > > the dumps I collected (I'm still collecting newly generated tickets
> > > > > now).
> > > >
> > > > gud deal, oracle hacker
> > >
> > > We're late, the vulnerable endpoint has officially retired, closing
> > > its doors to negotiations. We're at a standstill unless a new
> > > vulnerability decides to grace us with its presence.
> >
> > Uh oh, that was fast. I love how the ticket2u team reacted quickly.
> > Deploying a fix immediately like what ticket2u did is a good job. Kudos
> > for ticket2u team.
> >
> > Did you know? It was not the case with Kiostix who took holiday as an
> > excuse. Their fix was also horrible and not professional.
> >
> > Extra Kiostix non-sense story bonus:
> > When I and Michael W. met them face-to-face at the venue, they said they
> > could detect a fraud using their feeling (they used such a non-sense
> > sentence as an excuse not to revoke the already leaked tickets).
> 
> How much bug bounty did you get?

I didn't get any bug bounty, but they bought us food and drink at the
venue. Apart from that, Michael W. and Alviro were given a certificate.
It's a paper that says they've contributed to the Kiostix system by
reporting a bug.

-- 
Ammar Faizi