Enumeration is the first and nicest web bug these days.
First the most stupid example. Some company had put me on one of their nice ‘newsletters’. Without asking of course. They use a self written mailinglist manager with very simple webinterface to unsubscribe:
http://www.domain.tld/pages/Unsubscribe.aspx?mid=42&uid=$number
The content of this page was:
Are you sure you want to sign out ?
Your email address is: mendel@mobach.nlYes                              No
Since I’m very allergic to people publishing my email address in this way I started fiddling with numbers. It turned out they start with 1 and end with 3479. Guess their number of subscribers…
A nice oneliner gave me all the addresses. After informing them and about 4 days of time they still did not fix it.
The bad that can happen out of this:
- I can unsubcribe all their members
- They leak their (almost) complete client and supplier list
Than the older case but still a bit interresting.
Once upon a time some company called OV-Fiets decided that it would be nice to send people a news letter with a nice ‘automatic login URL’. It could not be more stupid:
The URL containted a md5 hash, after opening it you got a cookie and you had been logged in automatically. But since they already had a basic lesson they decided to create the md5 in a special way:
Take a secret number, xor it with the database ID(*1). Take the result of this XOR in plain text, create an md5 of it and use that as the hash. Since I do like hashes I posted it into google and got immediately the source of the MD5 hash. Since I knew my customer ID (you have to use it as a login) I could subtract it from the XOR and I got the secret number.
The bad that could happen:
- I could see everybodies barcode number (and create them myself)
- I could see (hello unencryption, cleartext nice website) everybody’s password
- I could see everybodies PIN that goes with 1
- I could all the payment information
- I could rent real world bikes on someone elses name
- I could not return 5 and let other people have misery because of my laziness with returning them
And the fix? They disabled the autologin, nothing else. They still display your password in cleartext, they still store it in cleartext, they still did not require everyone to change their pincode, they did nothing.
Kind Regards,
Mendel Mobach - time to rent a bike
*1: everybody with a little bit of clue knows this is just secret+dbID
Note: I will write about har2009, but later.