top | item 47096008

(no title)

Last year I found a vulnerability in a large annual event's ticket system, allowing me to download tickets from other users.

I had bought a ticket, which arrived as a link by email. The URL was something like example.com/tickets/[string]

The string was just the order number in base 64. The order number was, of course, sequential.

I emailed the organizer and the company that built the order system. They immediately fixed it... Just kidding. It's still wide open and I didn't hear anything from them.

I'm waiting for this year's edition. Maybe they'll have fixed it.

discuss

master-lincoln|10 days ago

And you are not worried enough about other users that you reported the compsny or at least name them here?