How I pwned a major New Zealand service provider

How I pwned a major New Zealand service provider(mrbruh.com)

55 points by MrBruh 1 year ago | 46 comments

ngonch 1 year ago |

Australia and New Zealand are insanely careless with personal data. I was shocked when I was asked to write my credit card details, including cvv, on a piece of paper in a beachside surfboard rental shop

mvdtnz 1 year ago | |

A beachside surfboard rental shop is not "New Zealand". Stop being so ignorant.

shakna 1 year ago | |

Yeah, no. That's someone who is lazy and not following our rather comprehensive credit card regulations [0]. PCI DSS is required by both VISA and MasterCard, who are the only one's approved by said regulations. CVV storage is not permitted.

If you reported them, chances are, the business would be shut down.

[0] https://www.rba.gov.au/payments-and-infrastructure/payments-...

apimade 1 year ago | |

That is neither standard nor normal.

ngonch 1 year ago | | |

Hotels always ask to physically take my credit card, random maintenance guys ask to access my apartment without a heads-up from the landlord. It's seen as normal, but in my book it's a bit careless.

bell-cot 1 year ago | | |

Perhaps. From a distance (physical, social, or both) local norms of behavior are often non-standard and abnormal.

MomsAVoxell 1 year ago | |

Australians are very lax on human rights, including the right to privacy.

Pine Gap is the world’s largest network tap, after all, invalidating the human rights of close to 2 billion people, every single second of the day.

The nation was bred to be so compliant. Australians are not afraid of licking boots if it means cheap avocados can be smashed.

mixermachine 1 year ago | |

Had the same experience in Namibia in 2022. First I should sent them my credit card stuff via mail. Then via a website which looked like it would automatically write my data to a mail and send it to them :D.

I used a freshly generated virtual credit card with payment amount +20$ as a limit (just to be sure).

OptionOfT 1 year ago | |

I can't imagine how that would work with an Apple card? There's nothing printed on them.

gtm1260 1 year ago | | |

on apple card you can always pull up the real card info on the app.

adamhartenz 1 year ago | |

This is the same vibes as "That's how they measure pants!"

protocolture 1 year ago | |

Everyone dogpiling on you is incorrect. This has been my experience as well.

I swear half my job these days is helping australian businesses retroactively purge themselves of plaintext card data.

I have seen some shit man.

kupopuffs 1 year ago | |

how can you care when all your stress is aimed towards staying alive

girvo 1 year ago |

That reminds me of all the SQL injection vulns that we used to blame on PHP. As PHP becomes less popular, and the same/similar vulnerabilities remain, I realise it's more just bad practices (though ~2000-early 2010s PHP really was pretty rough when it came to creating those holes, but that might just be a function of how popular it was!)

Nice work on finding it :)

rsch 1 year ago | |

PHP was blamed for a good reason: for a long time it did not by default support prepared SQL statements. You could install the mysqli extension to gain such support but that was almost never available on shared web hosts.

allset_ 1 year ago | | |

And every tutorial you could find on how to use PHP with a database was a tutorial on how to add SQL injection to your site.

taitems 1 year ago |

At least they cared. I found an enumeration attack on an Australian referral service where phone numbers were keys and it returned way too much personal information. Responsibly disclosed numerous times, LinkedIn contacted employees. Not even acknowledged and at last check, still open vulnerability.

mixermachine 1 year ago | |

The sad thing is, that at some point they truly get exposed (big leak) and your name might come up because they have nobody else to blame. I wish you the best and hope you have lawyer insurance.

manosyja 1 year ago | |

Full disclosure was a thing exactly because of that.

pjsg 1 year ago |

Does this api allow me to enumerate the users (by phone number) using the service? That would seem to be bad as well. I. guess that it depends on what their fix was.

If this really was the first api request made by the app, and it has a serious vulnerability, then the omens are not great for the rest of the api calls either.

hsbauauvhabzb 1 year ago |

Be super careful with this, you had innocent intent, but that doesn’t mitigate the fact that you potentially broke the law (and regardless of whether you did or not, that won’t stop feds busting in the door). Some places will take reports like that gratefully, others will do everything in their power to make you out to be the bad guy.

bauruine 1 year ago | |

>I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

Looks like he did some research before.

On the other hand

>On day 2 I awoke and began by finding some form of contact details, information was somewhat sparse but I managed to find a phone number.

Doesn't a responsible disclosure policy contain contact infos on where to report usually?

alp1n3_eth 1 year ago | | |

Weirdly enough... not always.

When it comes to random companies running their own VDP vs. hiring it out, it can be less than standard despite there being lots of resources on setting it up. I've seen ones that only include a phone number, the email address listed doesn't exist anymore, etc.

Others have had to even get to the point of contacting an executive via LinkedIn despite there being a VDP page / security.txt.

StrauXX 1 year ago | |

No, they did not in any way break the law. As they wrote themselves:

> I did some research and found that the app did infact have a responsible disclosure policy which at that point, I was happy to continue forth.

shakna 1 year ago | | |

Under New Zealand's Crimes Act, all unauthorised access is illegal. This has been used in court to cover places where someone was not pre-approved, rather than just a policy that gives an implied acceptance. It has also been used where someone has accidentally gained access via insecured systems.

I would not be so confident in stating that they did not break the law.

protocolture 1 year ago |

Honestly cool to see a story like this where the punchline isnt "They never fixed the bug" or "They sent goons after me".

davesmylie 1 year ago |

Hmm. Notably Farmers NZ recently had an extended unplanned outage, and has a 4 star app

xupybd 1 year ago | |

Kiwi bank is the most likely IMO. Almost 4 star and the kind of think GPT would do is leave in the Kiwi part.

pikelet 1 year ago | | |

I don't think so. The data returned talks about loyalty, rewards, and gift cards.

svarrall 1 year ago | |

They mentioned the name of the app in the article “KiwiServices”

pikelet 1 year ago | | |

They mentioned at the top of the article that this is not the real name.

dylan604 1 year ago |

by default, make the thing return a 400 Invalid Request for any request that did not fit exactly what you are expecting. That at least lets you focus on ensuring the data that you are expecting is sane/valid/safe. Undocumented features will eventually bite you, and are loaded footguns, especially if your QA team doesn't know about the undocumented features.

sitzkrieg 1 year ago |

to think someone thought that api was a good idea and got all the way to deploying it, yikes

efilife 1 year ago |

Were you paid? I hope yes