Keyboard shortcuts are available for common actions and site navigation.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
With the ever increasing adoption companies accepting and being more welcoming to security researchers but there are still many companies which still see responsible disclosure as a threat or even flat out ignore communication or attempt to cover up security breaches.
It's counter productive and companies who take routes to ignore responsible security disclosure or deny them show their disregard for their user's security. Many security researchers passionately care for security and simplely want to help companies fix issues they discovered.
Instead of treating security researchers like hostile actors looking to extort their website, companies should at least address the issue discovered by the researcher. This over sensationalized fear of security needs to end and the Infosec community as a whole is changing that
What started this thread was an interaction with a company that ran an auction website which handled high volume of transactions. First reached out by email then by their twitter account. I was consequently blocked by their twitter account and appears they're also covering it up.
Due to a vulnerability I discovered, an attacker would of been able to log into their DB and access customer passwords/usernames, and other sensitive data. Their reaction was to simplely block and ignore communication attempts which is counter intuivitve as I previously stated.
This company is @furbuy, as of right now I still haven't had any communications from them and still blocked. Their website is currently offline due to a "Ddos" which isn't likely due to the issue I found revolved around their database.pic.twitter.com/IFz5T8N7HR
At this point public disclosure with lack of vulnerability details or sensitive data, is the best way to make their users aware of the state of security for this website. @DCFurs
It's also interesting to note that I discovered what looked like a photo of a valid visa and an expired passport. Unsure if it's the website owner's or possibly a user's, regardless it's a hot mess. They also had a flow chart of how the various files interacted.
It also appears to use insecure hashing of passwords with SHA2 as well. You'd get kick out of this @SoatokDholepic.twitter.com/gSCw2Wckd0
Here's another interesting thing to note. They have a tool which can create a back up of their database along with the supplied credentials to access said database. Another thing to note they also store already made back ups in specific static locationpic.twitter.com/f54AkdXsEV
im just gonna tweet this as a mental note to possibly hire you for some security hunting in my companies.( i am sure as hell no security expert, and ill be dammed if i get caught sweeping it under the rugs)
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
