How I pwned a major New Zealand service provider

ngonch|11 months ago

Australia and New Zealand are insanely careless with personal data. I was shocked when I was asked to write my credit card details, including cvv, on a piece of paper in a beachside surfboard rental shop

mvdtnz|11 months ago

A beachside surfboard rental shop is not "New Zealand". Stop being so ignorant.

shakna|11 months ago

Yeah, no. That's someone who is lazy and not following our rather comprehensive credit card regulations [0]. PCI DSS is required by both VISA and MasterCard, who are the only one's approved by said regulations. CVV storage is not permitted.

If you reported them, chances are, the business would be shut down.

[0] https://www.rba.gov.au/payments-and-infrastructure/payments-...

apimade|11 months ago

That is neither standard nor normal.

MomsAVoxell|11 months ago

Australians are very lax on human rights, including the right to privacy.

Pine Gap is the world’s largest network tap, after all, invalidating the human rights of close to 2 billion people, every single second of the day.

The nation was bred to be so compliant. Australians are not afraid of licking boots if it means cheap avocados can be smashed.

mixermachine|11 months ago

Had the same experience in Namibia in 2022. First I should sent them my credit card stuff via mail. Then via a website which looked like it would automatically write my data to a mail and send it to them :D.

I used a freshly generated virtual credit card with payment amount +20$ as a limit (just to be sure).

OptionOfT|11 months ago

I can't imagine how that would work with an Apple card? There's nothing printed on them.

adamhartenz|11 months ago

This is the same vibes as "That's how they measure pants!"

protocolture|11 months ago

Everyone dogpiling on you is incorrect. This has been my experience as well.

I swear half my job these days is helping australian businesses retroactively purge themselves of plaintext card data.

I have seen some shit man.

kupopuffs|11 months ago

how can you care when all your stress is aimed towards staying alive

girvo|11 months ago

That reminds me of all the SQL injection vulns that we used to blame on PHP. As PHP becomes less popular, and the same/similar vulnerabilities remain, I realise it's more just bad practices (though ~2000-early 2010s PHP really was pretty rough when it came to creating those holes, but that might just be a function of how popular it was!)

Nice work on finding it :)

rsch|11 months ago

PHP was blamed for a good reason: for a long time it did not by default support prepared SQL statements. You could install the mysqli extension to gain such support but that was almost never available on shared web hosts.

taitems|11 months ago

At least they cared. I found an enumeration attack on an Australian referral service where phone numbers were keys and it returned way too much personal information. Responsibly disclosed numerous times, LinkedIn contacted employees. Not even acknowledged and at last check, still open vulnerability.

mixermachine|11 months ago

The sad thing is, that at some point they truly get exposed (big leak) and your name might come up because they have nobody else to blame. I wish you the best and hope you have lawyer insurance.

manosyja|11 months ago

Full disclosure was a thing exactly because of that.

pjsg|11 months ago

Does this api allow me to enumerate the users (by phone number) using the service? That would seem to be bad as well. I. guess that it depends on what their fix was.

If this really was the first api request made by the app, and it has a serious vulnerability, then the omens are not great for the rest of the api calls either.

hsbauauvhabzb|11 months ago

Be super careful with this, you had innocent intent, but that doesn’t mitigate the fact that you potentially broke the law (and regardless of whether you did or not, that won’t stop feds busting in the door). Some places will take reports like that gratefully, others will do everything in their power to make you out to be the bad guy.

bauruine|11 months ago

>I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

Looks like he did some research before.

On the other hand

>On day 2 I awoke and began by finding some form of contact details, information was somewhat sparse but I managed to find a phone number.

Doesn't a responsible disclosure policy contain contact infos on where to report usually?

StrauXX|11 months ago

No, they did not in any way break the law. As they wrote themselves:

> I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

unknown|11 months ago

[deleted]

protocolture|11 months ago

Honestly cool to see a story like this where the punchline isnt "They never fixed the bug" or "They sent goons after me".

davesmylie|11 months ago

Hmm. Notably Farmers NZ recently had an extended unplanned outage, and has a 4 star app

xupybd|11 months ago

Kiwi bank is the most likely IMO. Almost 4 star and the kind of think GPT would do is leave in the Kiwi part.

svarrall|11 months ago

They mentioned the name of the app in the article “KiwiServices”

dylan604|11 months ago

by default, make the thing return a 400 Invalid Request for any request that did not fit exactly what you are expecting. That at least lets you focus on ensuring the data that you are expecting is sane/valid/safe. Undocumented features will eventually bite you, and are loaded footguns, especially if your QA team doesn't know about the undocumented features.

sitzkrieg|11 months ago

to think someone thought that api was a good idea and got all the way to deploying it, yikes

efilife|11 months ago

Were you paid? I hope yes

46 comments