Found some vulnerabilities in two companies, one you've probably heard of. Password is passed in cleartext to the server, which errors out and sends the password back in a fucking stacktrace to the browser.
I'm ultra-pissed that they have my password. I've already emailed them about it. Should I release now?
I don't see much of a bug bounty program for the companies, and even then a couple hundred bucks is an insult for the potential damage and incompetence. It shouldn't be my job to fix their shit-tier basic security issues.
Fuck off, you larping faggot. If you'd be actually able to do so, you wouldn't waste your time on a chinese cartoons forum.
Caleb Gutierrez
Release now. Do it. I hate this "responsible disclosure" shit that's the tech industry now. Oh, better keep this bug a private matter and work in this proprietary-tier secrecy to fix it. All that bullshit. Can't let the programmers face any consequences for making a vulnerable program, now can we? Let's be real. The only responsible disclosure is a full disclosure. Just putting it out there, explaining everything and how to exploit it. Absolutely let the blackhats start abusing it. It's the only way people will actually learn from their mistakes. it's the only way people will see consequences and the tech world may finally change for the better. Do it.
Jayden Carter
>I'm L33t hacker man >Hur I found vulnerabilities in their code! >Using nothing but inspect element on much browser!
Why did you make this thread OP? Need to feel good by lying online?
Liam Brooks
This teach those fuckers a lesson
Zachary Wood
>Calling devtools "inspect element" >Claiming that there is no vulnerability when its shown in the screenshot Spotted the person with no experience or knowledge. It doesn't seem wise to release it. I'd be afraid of them going after me for hacking or something. Even if you did it anonymously, they'd be able to put two and two together since you emailed them.
Xavier Reyes
>Password is passed in cleartext to the server
Are you... retarded?
Hunter Evans
Retard confirmed. Sage this larping faggot and move on.
Justin Edwards
this have you ever heard of ssl OP
Dominic Cook
Who hurt you
Michael Scott
nah senpaitachi you're supposed to hash your passwords client side!
That's the nature of the issue. The second the password hits their servers, attack vectors explode and actual passwords (not just hashes, nonced hashes, etc.) can be stolen. Then again, maybe I'm just a n00b larper fag. Oh well ¯\_(ツ)_/¯
Jason Jackson
There's nothing wrong with sending the password unhashed through SSL. There's nothing wrong with a server error barfing it back. The other parts of the error traceback are a bigger security issue than sending whatever you sent as the password back.
Brody Lewis
>Password is passed in cleartext to the server
Because secured tunnels like TSL/SSL, IPSec don't exist right? Your just using a website that passes shit on port 80 http? Sounds like both you and the website are idiots.
Asher Foster
This industry. And it's not just me. It's you. It's OP. It's everyone who ever uses a buggy piece of software these days (so a majority of the western world). It's the fault of our practices when it comes to technology. We constantly ask whether we can, how we can advance, etc. We never ask whether we should. We so rarely go through the rigors of ensuring every component, every line, is safe and properly secured. This is damaging on many levels, and I'll give a perfect example. We knew long ago that microkernels were more secure, and by the 90s, the performance problems with them were already being ironed out. But that wasn't happening fast enough for businesses. People see dollar signs in recklessness. They went with the faster designs, the less tested ones. Windows, MacOS, even Linux to some extent. Each one trying to push out more and more features. No room for self-contemplation. Just keep trying to beat out your competition with some shiny thing. This left microkernels in the dust, as they couldn't keep up with the features that caught peoples' eyes. People didn't want to wait for someone to do it right. They just wanted someone to do it. Security doesn't sell. So we need to make it sell.
Levi Howard
So you're assuming that this isn't logged somewhere?
I'd definitely prefer for my passwords to be hashed/nonced before touching the server, so that even if the server was compromised, the chances of it being cracked and used are slim-to-none. Maybe I'm being a little crazy about this, but I don't see why anyone would not do this..
If they can't even make a front-end that doesn't puke out serverside stacktraces, something tells me that it wouldn't be incredibly hard to pwn the server, and take the passwords in-transit.
Nathaniel Wilson
That's not even a bug, that's just the state of cryptography in the modern internet. You just have to assume that every place you type your password into has your password. Even if they mutate it client-side you can't be sure that it's not a reversible encryption without digging into the code.
Use a password manager.
Juan Ramirez
>I'd definitely prefer for my passwords to be hashed/nonced before touching the server, It's fucking pointless, if you hashed your password before touching the server, then the hashed password is the password instead in the server point of view (and it will be incredibly stupid that they just store that hashed password without hashing again), you are just adding another useless abstraction.
Hunter Wood
So, where is the PoC?
Alexander Powell
this
Parker Johnson
Not if its nonced/salted. If you have someone's password, you can use it on other accounts and systems. If nonced/salted, it becomes worthless on other sites/logins.
Noah Collins
If you don't understand basic cryptography principals then don't express opinions about cryptographic practices.
The service should not know your password. It should only know a salted-and-hashed pass key.
Your password should never be vulnerable, only your access to that service should be vulnerable.
Andrew Baker
shut the fuck up pajeet that's got nothing to do with "cryptography" stop calling it "cryptography"
Christian Morgan
Learn what https is idiot.
John Edwards
This is just a big fat multiplier for the damage done if someone ever breaks into the servers. It's the difference between one account being stolen and every account that uses that password being stolen (which could easily cascade from there).
You're introducing more areas for attack and you're not actually increasing the security. It's fucking 2019, there's no reason to not be using SSL. Even then, if someone did an MITM attack they could literally just change the javascript sent to the client, making the whole effort pointless. If the server was compromised guess what, they can just change the fucking javascript.
Cameron Nelson
>I'd definitely prefer for my passwords to be hashed/nonced before touching the server, so that even if the server was compromised, the chances of it being cracked and used are slim-to-none. Lmao. Whoever has unencrypted traffic had already hacked you.
James Perez
> but I don't see why anyone would not do this.. Tech illetrates would buy a million of thin condoms even if they are sterile already. Best passwords are passwords which basically no company would let you set - long memorale phrases. Shits would require you to add punctuation and whatnot to protect most vulnerable retards instead.
Levi Baker
Oh and If attacker is already MITM they might as well send arbitrary page just to get your precious unhashed password because unhashed password which should unique for each site is definitely more important than any data the website contains.
