|
|
|
|
|
|
by andrelaszlo
119 days ago
|
|
|
Last year I found a vulnerability in a large annual event's ticket system, allowing me to download tickets from other users. I had bought a ticket, which arrived as a link by email. The URL was something like example.com/tickets/[string] The string was just the order number in base 64. The order number was, of course, sequential. I emailed the organizer and the company that built the order system. They immediately fixed it... Just kidding. It's still wide open and I didn't hear anything from them. I'm waiting for this year's edition. Maybe they'll have fixed it. |
|
|