I started using a courier company in my country. You buy things in the US, send them to some address and they bring them to my country. Playing with their website, I found that
- They have an API without authentication/authorization, with read/write endpoints.
- The customer IDs are sequential.
This implies that some operations I can make are
- I can API scrape all customer profiles (name, email, address, phone number),
- I can API scrape historical orders for all customers,
- I can modify customer profiles (change a customer's phone number, address, have all packages sent to my house lol).
If these operations are publicly accesible, what regulates what you can actually do? What type of regulations should I look for, in a generic sense? Can I, for example, API scrape all customer data and share that information with, for example, journalists?
(BTW, I already sent emails to this company, but they don't seem to pay much attention. For the same reason, I would not do any of these operations.)
[link] [comments]
from hacking: security in practice https://ift.tt/RnkAlCF
Comments
Post a Comment