How I pwned a major New Zealand service provider (opens in new tab)

(mrbruh.com)

55 pointsMrBruh1y ago46 comments

46 comments

Australia and New Zealand are insanely careless with personal data. I was shocked when I was asked to write my credit card details, including cvv, on a piece of paper in a beachside surfboard rental shop

mvdtnz0y ago

A beachside surfboard rental shop is not "New Zealand". Stop being so ignorant.

shakna0y ago

Yeah, no. That's someone who is lazy and not following our rather comprehensive credit card regulations [0]. PCI DSS is required by both VISA and MasterCard, who are the only one's approved by said regulations. CVV storage is not permitted.

If you reported them, chances are, the business would be shut down.

[0] https://www.rba.gov.au/payments-and-infrastructure/payments-...

apimade0y ago

That is neither standard nor normal.

ngonch0y ago

Hotels always ask to physically take my credit card, random maintenance guys ask to access my apartment without a heads-up from the landlord. It's seen as normal, but in my book it's a bit careless.

2 more replies

bell-cot0y ago

Perhaps. From a distance (physical, social, or both) local norms of behavior are often non-standard and abnormal.

3 more replies

MomsAVoxell0y ago

Australians are very lax on human rights, including the right to privacy.

Pine Gap is the world’s largest network tap, after all, invalidating the human rights of close to 2 billion people, every single second of the day.

The nation was bred to be so compliant. Australians are not afraid of licking boots if it means cheap avocados can be smashed.

mixermachine0y ago

Had the same experience in Namibia in 2022. First I should sent them my credit card stuff via mail. Then via a website which looked like it would automatically write my data to a mail and send it to them :D.

I used a freshly generated virtual credit card with payment amount +20$ as a limit (just to be sure).

OptionOfT0y ago

I can't imagine how that would work with an Apple card? There's nothing printed on them.

gtm12600y ago

on apple card you can always pull up the real card info on the app.

adamhartenz0y ago

This is the same vibes as "That's how they measure pants!"

protocolture0y ago

Everyone dogpiling on you is incorrect. This has been my experience as well.

I swear half my job these days is helping australian businesses retroactively purge themselves of plaintext card data.

I have seen some shit man.

kupopuffs0y ago

how can you care when all your stress is aimed towards staying alive

girvo0y ago

That reminds me of all the SQL injection vulns that we used to blame on PHP. As PHP becomes less popular, and the same/similar vulnerabilities remain, I realise it's more just bad practices (though ~2000-early 2010s PHP really was pretty rough when it came to creating those holes, but that might just be a function of how popular it was!)

Nice work on finding it :)

rsch0y ago

PHP was blamed for a good reason: for a long time it did not by default support prepared SQL statements. You could install the mysqli extension to gain such support but that was almost never available on shared web hosts.

allset_0y ago

And every tutorial you could find on how to use PHP with a database was a tutorial on how to add SQL injection to your site.

1 more reply

taitems0y ago

At least they cared. I found an enumeration attack on an Australian referral service where phone numbers were keys and it returned way too much personal information. Responsibly disclosed numerous times, LinkedIn contacted employees. Not even acknowledged and at last check, still open vulnerability.

mixermachine0y ago

The sad thing is, that at some point they truly get exposed (big leak) and your name might come up because they have nobody else to blame. I wish you the best and hope you have lawyer insurance.

manosyja0y ago

Full disclosure was a thing exactly because of that.

pjsg0y ago

Does this api allow me to enumerate the users (by phone number) using the service? That would seem to be bad as well. I. guess that it depends on what their fix was.

If this really was the first api request made by the app, and it has a serious vulnerability, then the omens are not great for the rest of the api calls either.

hsbauauvhabzb0y ago

Be super careful with this, you had innocent intent, but that doesn’t mitigate the fact that you potentially broke the law (and regardless of whether you did or not, that won’t stop feds busting in the door). Some places will take reports like that gratefully, others will do everything in their power to make you out to be the bad guy.

bauruine0y ago

>I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

Looks like he did some research before.

On the other hand

>On day 2 I awoke and began by finding some form of contact details, information was somewhat sparse but I managed to find a phone number.

Doesn't a responsible disclosure policy contain contact infos on where to report usually?

alp1n3_eth0y ago

Weirdly enough... not always.

When it comes to random companies running their own VDP vs. hiring it out, it can be less than standard despite there being lots of resources on setting it up. I've seen ones that only include a phone number, the email address listed doesn't exist anymore, etc.

Others have had to even get to the point of contacting an executive via LinkedIn despite there being a VDP page / security.txt.

StrauXX0y ago

No, they did not in any way break the law. As they wrote themselves:

> I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

shakna0y ago

Under New Zealand's Crimes Act, all unauthorised access is illegal. This has been used in court to cover places where someone was not pre-approved, rather than just a policy that gives an implied acceptance. It has also been used where someone has accidentally gained access via insecured systems.

I would not be so confident in stating that they did not break the law.

1 more reply

protocolture0y ago

Honestly cool to see a story like this where the punchline isnt "They never fixed the bug" or "They sent goons after me".

davesmylie0y ago

Hmm. Notably Farmers NZ recently had an extended unplanned outage, and has a 4 star app

xupybd0y ago

Kiwi bank is the most likely IMO. Almost 4 star and the kind of think GPT would do is leave in the Kiwi part.

pikelet0y ago

I don't think so. The data returned talks about loyalty, rewards, and gift cards.

1 more reply

svarrall0y ago

They mentioned the name of the app in the article “KiwiServices”

pikelet0y ago

They mentioned at the top of the article that this is not the real name.

dylan6040y ago

by default, make the thing return a 400 Invalid Request for any request that did not fit exactly what you are expecting. That at least lets you focus on ensuring the data that you are expecting is sane/valid/safe. Undocumented features will eventually bite you, and are loaded footguns, especially if your QA team doesn't know about the undocumented features.

sitzkrieg0y ago

to think someone thought that api was a good idea and got all the way to deploying it, yikes

efilife0y ago

Were you paid? I hope yes

j / k navigate · click thread line to collapse

46 comments

ngonch0y ago

mvdtnz0y ago

A beachside surfboard rental shop is not "New Zealand". Stop being so ignorant.

shakna0y ago

If you reported them, chances are, the business would be shut down.

[0] https://www.rba.gov.au/payments-and-infrastructure/payments-...

apimade0y ago

That is neither standard nor normal.

ngonch0y ago

Hotels always ask to physically take my credit card, random maintenance guys ask to access my apartment without a heads-up from the landlord. It's seen as normal, but in my book it's a bit careless.

2 more replies

bell-cot0y ago

Perhaps. From a distance (physical, social, or both) local norms of behavior are often non-standard and abnormal.

3 more replies

MomsAVoxell0y ago

Australians are very lax on human rights, including the right to privacy.

Pine Gap is the world’s largest network tap, after all, invalidating the human rights of close to 2 billion people, every single second of the day.

The nation was bred to be so compliant. Australians are not afraid of licking boots if it means cheap avocados can be smashed.

mixermachine0y ago

I used a freshly generated virtual credit card with payment amount +20$ as a limit (just to be sure).

OptionOfT0y ago

I can't imagine how that would work with an Apple card? There's nothing printed on them.

gtm12600y ago

on apple card you can always pull up the real card info on the app.

adamhartenz0y ago

This is the same vibes as "That's how they measure pants!"

protocolture0y ago

Everyone dogpiling on you is incorrect. This has been my experience as well.

I swear half my job these days is helping australian businesses retroactively purge themselves of plaintext card data.

I have seen some shit man.

kupopuffs0y ago

how can you care when all your stress is aimed towards staying alive

girvo0y ago

Nice work on finding it :)

rsch0y ago

allset_0y ago

And every tutorial you could find on how to use PHP with a database was a tutorial on how to add SQL injection to your site.

1 more reply

taitems0y ago

mixermachine0y ago

The sad thing is, that at some point they truly get exposed (big leak) and your name might come up because they have nobody else to blame. I wish you the best and hope you have lawyer insurance.

manosyja0y ago

Full disclosure was a thing exactly because of that.

pjsg0y ago

Does this api allow me to enumerate the users (by phone number) using the service? That would seem to be bad as well. I. guess that it depends on what their fix was.

If this really was the first api request made by the app, and it has a serious vulnerability, then the omens are not great for the rest of the api calls either.

hsbauauvhabzb0y ago

bauruine0y ago

>I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

Looks like he did some research before.

On the other hand

>On day 2 I awoke and began by finding some form of contact details, information was somewhat sparse but I managed to find a phone number.

Doesn't a responsible disclosure policy contain contact infos on where to report usually?

alp1n3_eth0y ago

Weirdly enough... not always.

Others have had to even get to the point of contacting an executive via LinkedIn despite there being a VDP page / security.txt.

StrauXX0y ago

No, they did not in any way break the law. As they wrote themselves:

> I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

shakna0y ago

I would not be so confident in stating that they did not break the law.

1 more reply

protocolture0y ago

Honestly cool to see a story like this where the punchline isnt "They never fixed the bug" or "They sent goons after me".

davesmylie0y ago

Hmm. Notably Farmers NZ recently had an extended unplanned outage, and has a 4 star app

xupybd0y ago

Kiwi bank is the most likely IMO. Almost 4 star and the kind of think GPT would do is leave in the Kiwi part.

pikelet0y ago

I don't think so. The data returned talks about loyalty, rewards, and gift cards.

1 more reply

svarrall0y ago

They mentioned the name of the app in the article “KiwiServices”

pikelet0y ago

They mentioned at the top of the article that this is not the real name.

dylan6040y ago

sitzkrieg0y ago

to think someone thought that api was a good idea and got all the way to deploying it, yikes

efilife0y ago

Were you paid? I hope yes

j / k navigate · click thread line to collapse