82
slaat
8y

I guess that is what you get for bringing up security issues on someones website.

Not like I could read, edit or delete customer or company data...

I mean what the shit... all I did was try to help and gives me THIS? I even offered to help... maybe he got angry cause I kind of threw it in his face that the whole fucking system is shit and that you can create admin accounts with ease. No it's not a framework or anything, just one big php file with GET parameters as distinction which function he should use. One fucking file where everything goes into.

Comments
  • 44
    "Should I just email this to your investor or customer list, then? This is where you get to fix these outstanding issues BEFORE someone else maliciously exploits them."
  • 6
    I investigated him a bit on upwork and I found out that he pays some guy 6$/hour for the coding part. Maybe the guy is doing his job for him and he is angry that I exposed him to the companies general support mail.
  • 4
    I'm not one to threaten. If he does not want my help, so be it. Better to have no customer than someone who is pissed at me. It seems to me that the code is shit and would need a huge amount of refactoring and he is, from what I can see, not able nor willing to afford this
  • 5
    How did you have access to the PHP file? Using an FTP account or in a more creative way?
  • 6
    @TktStatusPICNIC it's illegal, this is not a game

    @lucas22 I saw that he is not checking user input. I could execute all kinds of stuff there
  • 3
    @slaat there's a difference in good clients and the one you just seen. that kind of client needs to hit a brick wall at a buck twenty give me a hint of the site and I'll cut the brakes.
  • 0
    @jckimble yeah right, guess who they will accuse first hahaha
  • 0
    @TktStatusPICNIC wasn't ment as an insult, it's just that I do not like to play around with this kind of stuff.
  • 2
    @slaat I'll wait two weeks and give you time to get an aliby and on top of that I'll make it look like Russia is hacking them
  • 1
    @slaat but seriously you're doing right but I would report the site somewhere
  • 7
    dear asshole 😂😂😂😂
  • 5
    @MrErvin with a *semi colon*!
  • 1
    @jckimble I just feel bad for the customers
  • 1
    @slaat yeah you could always see about filing a cve but I'm not sure if they would take websites if they don't someone needs to make a cve version of plaintext offenders
  • 4
    This is one of the reason why people hate PHP. Copy and Paste code from online, modify and there you go. I am a app developer now. When app gets hacked, PHP is being blamed.
  • 2
    @PoweredByCoffee exactly! It just so happens more people "know" php than other languages but that same guy would've made a crap job with any other programing language.
  • 0
    Nuke
    That
    Shit
    Up
  • 1
    I also did this a few times. Atleast you got a reply
  • 0
    @by2coffee 😂👌
  • 1
    Post the vulnerability publicly online, then see what they say 😂
  • 0
    @TheInitializer i'd try to find an offical channel first but as long as he didn't hack them to find the exploits and he keeps the email where they can't "call him" releasing a zero day bug, they can't do nothing about it as long as he doesn't post it on a hacking forum first
Add Comment