Re: gwcfd v2?

[Ammar Faizi <ammarfaizi2@gnuweeb.org>]

On Tue, Nov 21, 2023 at 08:44:51PM +0700, Louvian Lyndal wrote:
> On Tue, Nov 21, 2023 at 11:24 AM Alviro Iskandar Setiawan wrote:
> > On Tue, Nov 21, 2023 at 11:07 AM Louvian Lyndal wrote:
> > > On Tue, Nov 21, 2023 at 10:59 AM Alviro Iskandar Setiawan wrote:
> > > > On Tue, Nov 21, 2023 at 10:52 AM Louvian Lyndal wrote:
> > > > > On Tue, Nov 21, 2023 at 10:42 AM Alviro Iskandar Setiawan wrote:
> > > > > > On Tue, Nov 21, 2023 at 10:23 AM Alviro Iskandar Setiawan wrote:
> > > > > > > On Tue, Nov 21, 2023 at 6:46 AM Louvian Lyndal wrote:
> > > > > > > > On Tue, Nov 21, 2023 at 6:37 AM Louvian Lyndal wrote:
> > > > > > > > > On Tue, Nov 21, 2023 at 5:08 AM Alviro Iskandar Setiawan wrote:
> > > > > > > > > > There's a rumor that the current CF ticketing system is vulnerable (
> > > > > > > > > > https://ticket2u.id ). Will the GNU/Weeb security team assess it?
> > > > > > > > >
> > > > > > > > > I'll give you some samples so you can be sure it's real.
> > > > > > > >
> > > > > > > > Here you go:
> > > > > > > > http://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/
> > > > > > > >
> > > > > > > > It contains many events, not only CF. Your job is to create an OCR
> > > > > > > > program to classify those tickets (group by event). And extract user
> > > > > > > > identities.
> > > > > > >
> > > > > > > Ack, that's real.
> > > > > >
> > > > > > BTW, it's tiring to filter those out as I have not been able to
> > > > > > identify them programmatically. So far I couldn't find any CF tickets,
> > > > >
> > > > > Neither have I.
> > > > >
> > > > > > could you please send a valid CF sample? Not expired tickets.
> > > > >
> > > > > I found one:
> > > > > https://mbol2yli7np6mzfgwimfnhajat6sdnq5frs2w7w3b7ldppdawexaxyid.onion/comifuro2023/85b4bcb4-5455-4c91-9d55-76bcd648d165.pdf
> > > >
> > > > your claim is real
> > > >
> > > > tq tq, will give more effort on creating a program that helps this research
> > >
> > > Note that you cannot report this to Comifuro admins until you manage
> > > to create a filter to collect only CF tickets. After that, you must be
> > > able to extract user private information from the ticket to make the
> > > severity higher. Once everything is settled up, I will give you all of
> > > the dumps I collected (I'm still collecting newly generated tickets
> > > now).
> >
> > gud deal, oracle hacker
> 
> We're late, the vulnerable endpoint has officially retired, closing
> its doors to negotiations. We're at a standstill unless a new
> vulnerability decides to grace us with its presence.

Uh oh, that was fast. I love how the ticket2u team reacted quickly.
Deploying a fix immediately like what ticket2u did is a good job. Kudos
for ticket2u team.

Did you know? It was not the case with Kiostix who took holiday as an
excuse. Their fix was also horrible and not professional.

Extra Kiostix non-sense story bonus:
When I and Michael W. met them face-to-face at the venue, they said they
could detect a fraud using their feeling (they used such a non-sense
sentence as an excuse not to revoke the already leaked tickets).

-- 
Ammar Faizi