Hi all,
I recently applied to a company that I won't name, and I found that their online assessment preparation system had an enumeration attack vulnerability. Essentially by enumerating the document ID in one of their API calls, you could download documents that you clearly weren't supposed to (such as assessor marking guidelines). I found this exploit when trying to see if I could access one of their locked files for fun, that should've auto unlocked a week before the assessment.
I decided to report this issue to the company who seemed to provide the software through their own vulnerability reporting email. Long story short I decided I didn't want to continue applying for the company anyway, and I also informed them in my withdrawal email that I had reported a vulnerability to the software provider.
I reported the issue instinctively because if I was a company, I wouldn't want anyone who knows how to open the chrome inspect tab to be able to view my marking guidelines etc, but now I've found loads of horror stories on people being sued by companies for disclosing issues. I get the sense that I should've just kept quiet to keep my own sanity!
With that said, does anyone think this could cause any issues? In fairness, I clearly didn't use this exploit to my advantage as I withdrew my application, but on the other hand I get how it could be seen as bad for me even trying to gain access to one of the documents a week early.
[link] [comments]
from hacking: security in practice https://ift.tt/nmtJE2N
Comments
Post a Comment