Santa won’t visit you if you do this …

So I was cruising around, but not in a gay way.

After you spend your silver shilling with them, they give you a link with which to admire your forthcoming advertising genius. This takes the form of a url thus:


where xxxxx is your latest campaign. Now, this is what we programmers refer to technically as ‘totaly shit security’ or tss. Because (and you’re already racing ahead of me aren’t you?) if you were to substitute your campaign number with a number earlier than yours you *cough* could ‘in theory’ spy upon your predecessor’s campaign creatives and lander links. Basically outing everyone’s stuff, if you were to fire up ubot in a tequila-filled haze of vengance.

But nobody here would risk Santa’s wrath by actually doing this now would they?

Seriously though, I’ve mentioned this to BuzzCity and they’ve ignored me. I never like "I’ll show you mine if I’ll show me yours" when I was at school (especially with the janitor), and my opinion hasn’t really changed much. This technique is a two-way street so …

Use this totally hypothetical information wisely young Jedi ….

Oh, and you don’t event have to be logged onto their system to do this. Now that’s quality with a capitol ‘K’!

User Comment:
Shit… Think twice before submitting your data to them. Briefly tested with sqlmap and got this: "target url is UNION injectable with 4 columns"

That means any wannabe idiot can access their database and download YOUR data, including sensitive info.

User Comment:
Wow that is horrible form by buzzcity.

User Comment:
If you can game buzzcity then you should do it.

Get in, hit hard, then get out and count your stack.

User Comment:

Originally Posted by customs

That means any wannabe idiot can access their database and download YOUR data, including sensitive info.

Indeed, think twice before you store any info (personal, financial). The mentioned vulnerability is very simple; hard to believe that this still happens in 2011 ! If their development team makes mistakes like this; there are probably more vulnerabilities.

User Comment:
tried to sniff out a few campaigns but everyone had no active campaigns running… lol bad luck for me

User Comment:
Yeah I created a script didnt find anything worth my time.

The Article Published IN 08-25-2011 07:27 PM

Share To More ()