[matiasb]

Two months ago I was able to enumerate all accounts from a local bank (Paraguay), they used document number and numeric passwords for login. They were showing different error messages when you tried to login with a nonexistent ID.

So I started generating random numbers between common document number ranges (1000000-4000000).

Our public health system has a web app that lets you check your enrollment status by entering an document #, and there are no CAPTCHAs! So the attack was like this: generate a random document number, send a request to the public health app and get the target's info (name, date of enrollment and other info). The most interesting thing was that I tried to login into all accounts by using the birth date of the target as a password (the bank's password policy: just numbers, a min. of 6 numbers...). Around 40% of the clients were vulnerable.

[tripzilch]

isn't this roughly the sort of thing that got weev thrown in jail?

[matiasb]

Yes, probably. I have communicated the public health app problem (actually they just need to put a CAPTCHA) many times but it seems that nobody cares. About the bank, I was working as a data science consultant at that time, so it was easy for me to knock the door of the security department and tell them about my attack.