That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.
You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.
I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.
I did something similar on an airline website earlier this year: I wanted to change the date of my return flight and also make it an open jaw (i.e. leave from a different airport than where I had arrived). Changing my flights was included in my original fare, modulo the fare difference. Unfortunately, on their website the input text field for the airport I would be flying out from would get disabled a second or two into loading the "alternative flights search" page, and wouldn't allow me to make it an open jaw. So I fired up my browser dev tools and changed the value of the text field to the desired airport code. Suddenly, I was finding the flights I had been looking for – as it turns out, at no additional charge whatsoever.
My insurance company has different frontend password regex on registration page and on login page. My password passed the registration regex but fails the login regex. In order to log in, I need to manually remove the frontend-side password regex check.
It doesn’t seem crazy to me that someone should be arrested for that! It’s stealing. If someone came in my house and stole my property I’d expect them to be arrested, even if I had stupidly left the door wide open.
According to the article the system was developed by a regional subsidiary of a German mobile telco, which already tells you everything you need to know about its quality, but on top of that it was rushed to launch in time for some sporting event and thus even less testing was done that would normally happen.
Here's a better article: https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-... - it seems like this was good faith security research (he disclosed the issue after testing it) and he couldn't use the transport pass he "stole" because he didn't even live in their service area anyway.
This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.
A kid showed up a bunch of big names. That's the equivalent of a kid walking into a bank and somehow making it into the vault, alerting security to the fact that it's possible without actually making off with all of the gold. That's on the bank, not on the kid. Nobody came into your house or stole your property. If they had the police likely wouldn't show up, nor would the case make the newspaper even if - hah, as if that happens - they made an arrest.
The only reason you are hearing about this is because someone at 'bigcorp' didn't want to accept responsibility for their fuckups, and so they used the law to come down on some kid which effectively did them a service, which costs society a large pile of money, further externalizing the cost of their fuckup.
How did the arrest go? For all you know it was the local cop that took him to the station and put him under arrest. Not to necessarily punish but to imprint that even though the action was minimally invasive for a simple bus ticket, it applied on larger systems, could have a significant effect. So more as a simple friendly deterrent rather than arrest and spent some nights in jail.
> How do you propose he would have been able to establish that this was indeed a vulnerability?
I could comment extensively on the issue, as it is not as cut and dry as you imply. Instead, I'm going to link to the HM discussion from 2017 , as I think it is insightful and covers nuances.
> Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above
You're failing to address the point. It is also trivial to switch price tags in supermarkets. If a kid rips off the tag of an expensive product, tacks on another price tag for pennies, and proceeds to pay the reported price at the checkout counter, is this something deemed acceptable or even classified as vulnerability research?
Make no mistake: the system was a shit show and all companies involved pulled some "sociopath mid-level manager saving his ass" moves. But the issue is nuanced.
No. It’s if you were selling something in your house for $10. Somebody came in, crossed out the number on the tag, wrote down $1 and handed you a bill.
Then you took their money and gave them the item without saying anything.
Would seem like a weird situation but I don’t see how its theft.
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
In Germany, the case of a company called "Modern Solution" has gained quite a bit of traction. An IT guy found a password, tried it on the company's phpmyadmin and reported that he could access their data. They sued him and the case went up to the highest German court, which acknowledged the lower court's decision to rule with the company. The IT guy got fined.
When the changes that toughened the § 202 StGB were made in 2007, there were a lot of public rallies against it in which many programmers participated. These were ignored by the politicians in power. This (together with other worrying political events) even lead to a temporary upcoming of a new party (Piratenpartei) in Germany.
The fact that these rallies were ignored by the politicians in power lead to the situation that from then on by many programmers the German politicians got considered to be about as trustworthy as child molesters who have relapsed several times.
Remember that while for a lot of us this kind of security research & remediation is “fun”, “the right thing to do”, etc there are also people in our industry that are completely incompetent, don’t care about the quality of their work or whether it puts anyone at risk. They lucked their way into their position and are now moving up the ranks.
To such a person, your little “security research” adventure is the difference between a great day pretending to look busy and a terrible day actually being busy explaining themselves to higher ups (and potentially regulators) and get a bunch of unplanned work to rectify the issue (while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through - now that there is a paper trail they have to act). They absolutely have a reason and incentive to blame you and attempt legal action to distract everyone from their incompetence.
The only way to be safe against such retaliation is to operate anonymously like an actual attacker. You can always reveal your identity later if you desire, but it gives you an effectively bulletproof shield for cases where you do get a hostile response.
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.
Without any sort of formally posted bug bounty program explicitly authorizing this sort of activity the CFAA prohibits unauthorized access of "protected computers". I would classify this as legally risky. If FIA had a stick up their ass they could definitely come after the researcher. The researcher's ethical standing is pretty clean in my book, but this was definitely a little more than just changing a URL parameter (only a little more). I would say this is unsafe to do if you are in the united states. The stopping point was somewhere around "I think I could provide the admin role" and reaching out to the best contact you can find and say "Hey, I am an ethical white hat security researcher and I noticed X and Y and in my experience when I see this there is a pretty reasonable chance this privilege escalation vulnerability exists. The chance it exists is high enough in my experience that you should treat it like it exists and examine your authorization code. If you would like I can validate this on my end as well if you give me permission to examine this issue. I am an ethical security researcher" ---> point over to your website and disclosed issues if you got em. To just do it is ehh... I would not take the risk. However if I /did/ do it I would definitely disclose it to them immediately and give an explanation like the above. Shooting the messenger in this case would be pretty asinine, especially if they didn't access anything sensitive, that would preclude FIA from having any evidence you did anything sketchy (cause you did not). The reason I would not do it is because you never know if a system like this pre-fetches data, etc. and that is definitely opening you up to liability of possessing PII etc. Overall, I have disclosed issues like this in the past without actually exploiting the issue to good results. Some times companies ignore it. You can always say "If you do not want to treat this issue as a vulnerability I am going to write this up on my website as an example of things you should probably not do" if you feel ethically compelled to force them to change without actually exploiting the issue. People tend to get the message and do something.
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
This seems depressingly common in universities. I know of a case where someone discovered anyone with a university account (so students, etc.) can edit DNS, and the IT tried to file charges until the head of CS department intervened.
Many years ago when I was at school, I found a paper on a table in the computing library with a list of root passwords for some of the machines at Yale, just sitting there. I tried one and it was valid (this was the old days when remote root logins were a thing). I sent the admins a message telling them, and I was entirely ignored. A month later I tried the password again and it was still good. Luckily for me, I guess, it was before the days of suing people for trying to be helpful.
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
It seems like this, but it actually not true. What's interesting in F1 is that you have to find the right balance between innovation and consistency.
James Vowles, current Williams TP ordered his team to "break everything" in order to improve and change: https://youtu.be/nYzwvTSffiY?t=3129
What is often forgotten is, that all F1 cars are prototypes, they NEED to constantly change and innovate, and every year it starts from the beginning (almost).
There is a fantastic book called Total Competition, which is a conversation between two ex-team principles, one of them Ross Brawn, probably most successful F1 engineer. In it, Brawn says: "But where I think Formula One is very strong is in the culture. If you wanted to develop a concept and to drive things forward at maximum pace, utilize it in Formula One. The composite companies love Formula One because we are willing to try things. If they’ve got a new resin system or a new type of fibre, they give it to the Formula One teams to explore for them, to look at the applications and come back with the feedback. If they put it in the aerospace industry, five years later they would have an answer. Put it into Formula One and five months later they have got an answer"
Apart from the many many times where a teams R&D department has come up with a radical new idea for a machine part which gives them an advantage, and then all the other teams copy it making it the new standard. This is how F1 has evolved forever, by taking risks and experimenting. Not by reliability and consistency!
`bcrypt` is probably the "standard" in the sense that it has the widest adoption, but since 2015 [1] the "standard" in terms of what you should recommend for new work has been `argon2id` (and you can find parameter recommendations here [2]).
Also argon doesn't care about input length compared to bcrypt which only ever compares the first 72 bytes of a hash.
Okta actually fell victim to this because they concatenated userid + username + password. If userid + password were over 72 bytes then the password would never be checked thus you could login with userid + username.
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
Ah, thanks! Hard to keep up with this stuff. Next thing you know the boffins will tell us we need to switch to rot104 or even rot208 because of "post-quantum cryptography" or something.
Many countries in Europe require you to register with the local police any visitors you are hosting and pay a visitor's tax: this is why hotels would ask for the same documents too.
GDPR should help ensure they only keep the passport data until they complete the registration, and then remove it after some time or at your request.
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.
Everything about this is prohibited and discouraged under GDPR.
There are some vulnerabilities frameworks can address wholesale (like CSRF or XSS) as long as you keep to the blessed way of doing things, but they aren't able to save you from a complete failure to build authorization into your API. Like how seatbelts save lives but can't stop you from accelerating directly into a pole if you choose to do so.
Mass assignment problems sometimes also come from (improper?) use of frameworks. This goes beyond frameworks and more about how thorough the testing and review of how the user account modification and access control is done.
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
Great to reinvent the wheel for your mom and pop blog, or to teach yourself these concepts and try to break in. But not for authn and authz for something official like this.
That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.
I hope you got at least free tickets for life out of this.
Rule 1.
NEVER trust user supplied data.
Once that rule was broken, any other rules broken became clear to everyone
Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.
>Never trust any data. Even if the data comes from a partner or internal system it could be compromised or defective.
I don't even call it data anymore. I call it datain't.
You'd think that client side security would be something that we'd gotten over by now.
You'd think but I keep meeting even "experienced" technical leadership that have been at this for a while that there's no way to get around validation and security that's implemented in client code.
I’ve used browser dev tools to regularly add additional drop down options to menus that weren’t present. Huel, for example, only offered 2 or 4 week subscriptions, so I added 3 weeks to it because that’s the frequency I needed, and it worked no problem. 3 weeks later my shakes arrived and every 3 weeks since.
I did something similar on an airline website earlier this year: I wanted to change the date of my return flight and also make it an open jaw (i.e. leave from a different airport than where I had arrived). Changing my flights was included in my original fare, modulo the fare difference. Unfortunately, on their website the input text field for the airport I would be flying out from would get disabled a second or two into loading the "alternative flights search" page, and wouldn't allow me to make it an open jaw. So I fired up my browser dev tools and changed the value of the text field to the desired airport code. Suddenly, I was finding the flights I had been looking for – as it turns out, at no additional charge whatsoever.
What's insane is that there are countries where this is considered hacking, even if all you do is change the URL.
somefile-small.jpg -> somefile.jpg
My insurance company has different frontend password regex on registration page and on login page. My password passed the registration regex but fails the login regex. In order to log in, I need to manually remove the frontend-side password regex check.
Did you try adjusting price?
I am not malicious or willing to attempt theft. Academically though, in an official testing environment, that would be entertaining to attempt.
A kid in Hungary was arrested for exactly this (and it was a cheap bus ticket): https://www.bitdefender.com/en-us/blog/hotforsecurity/budape...
It doesn’t seem crazy to me that someone should be arrested for that! It’s stealing. If someone came in my house and stole my property I’d expect them to be arrested, even if I had stupidly left the door wide open.
According to the article the system was developed by a regional subsidiary of a German mobile telco, which already tells you everything you need to know about its quality, but on top of that it was rushed to launch in time for some sporting event and thus even less testing was done that would normally happen.
Here's a better article: https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-... - it seems like this was good faith security research (he disclosed the issue after testing it) and he couldn't use the transport pass he "stole" because he didn't even live in their service area anyway.
This arrest had nothing to do with stealing and all to do with putting well-connected, incompetent people in a very uncomfortable position.
Why are you on HN?
A kid showed up a bunch of big names. That's the equivalent of a kid walking into a bank and somehow making it into the vault, alerting security to the fact that it's possible without actually making off with all of the gold. That's on the bank, not on the kid. Nobody came into your house or stole your property. If they had the police likely wouldn't show up, nor would the case make the newspaper even if - hah, as if that happens - they made an arrest.
The only reason you are hearing about this is because someone at 'bigcorp' didn't want to accept responsibility for their fuckups, and so they used the law to come down on some kid which effectively did them a service, which costs society a large pile of money, further externalizing the cost of their fuckup.
How did the arrest go? For all you know it was the local cop that took him to the station and put him under arrest. Not to necessarily punish but to imprint that even though the action was minimally invasive for a simple bus ticket, it applied on larger systems, could have a significant effect. So more as a simple friendly deterrent rather than arrest and spent some nights in jail.
> A kid showed up a bunch of big names.
The kid purposely changed the price of a service to lower it to an insignificant fraction (reportedly from ~27£ to ~0.15£).
If that same kid went around a supermarket replacing price tags to lower the selling price, would you call it "showing up a bunch of big names"?
Say what you may about how broken and buggy the system was. Purposely misusing it for financial advantage is still a no-no.
How do you propose he would have been able to establish that this was indeed a vulnerability?
> How do you propose he would have been able to establish that this was indeed a vulnerability?
I could comment extensively on the issue, as it is not as cut and dry as you imply. Instead, I'm going to link to the HM discussion from 2017 , as I think it is insightful and covers nuances.
https://news.ycombinator.com/item?id=14835515
Did the kid go around changing price tags, or did they just show that it was possible?
Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above:
> Did you try adjusting price?
And he was punished for "hacking", not for stealing, and for indirectly putting to shame who was responsible for the epic fail.
> Come on, a kid was just fooling around with the developer console and probably had a curiosity just like the comment above
You're failing to address the point. It is also trivial to switch price tags in supermarkets. If a kid rips off the tag of an expensive product, tacks on another price tag for pennies, and proceeds to pay the reported price at the checkout counter, is this something deemed acceptable or even classified as vulnerability research?
Make no mistake: the system was a shit show and all companies involved pulled some "sociopath mid-level manager saving his ass" moves. But the issue is nuanced.
No. It’s if you were selling something in your house for $10. Somebody came in, crossed out the number on the tag, wrote down $1 and handed you a bill.
Then you took their money and gave them the item without saying anything.
Would seem like a weird situation but I don’t see how its theft.
I bet that would be most likely classified as shoplifting and/or fraud depending on jurisdiction.
It's more that they walked by, saw your door open, popped their head in and then called for you to make sure you knew the door was open.
I love this so much
That’s incredible
Ian, it would be great to see an RSS feed on your website if you want to gain another regular reader :)
Ian is a great writer
Seconding this
They took the website offline on the same day it was reported! That’s amazing!
Yeah I thought that was good. The fix wasn't that long either given how fast enterprises like this usually operate.
That is shamefully poor security.
It's hard to even call it security - it was just wide open...
I will say though, this kind of thing does wonders for my imposter syndrome.
wait until you see the party footage
missed opportunity to grant the authors a F1 super license and get the chance to actually drive one of the cars!
If only that's all it takes
Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?
In Germany, the case of a company called "Modern Solution" has gained quite a bit of traction. An IT guy found a password, tried it on the company's phpmyadmin and reported that he could access their data. They sued him and the case went up to the highest German court, which acknowledged the lower court's decision to rule with the company. The IT guy got fined.
https://www.heise.de/news/Bundesverfassungsgericht-lehnt-Bes... (German article)
Some additional relevant information:
When the changes that toughened the § 202 StGB were made in 2007, there were a lot of public rallies against it in which many programmers participated. These were ignored by the politicians in power. This (together with other worrying political events) even lead to a temporary upcoming of a new party (Piratenpartei) in Germany.
The fact that these rallies were ignored by the politicians in power lead to the situation that from then on by many programmers the German politicians got considered to be about as trustworthy as child molesters who have relapsed several times.
Lesson: instead of being the good guy and reporting shit, just sell it on black market.
What he did there could indeed be legally risky.
Remember that while for a lot of us this kind of security research & remediation is “fun”, “the right thing to do”, etc there are also people in our industry that are completely incompetent, don’t care about the quality of their work or whether it puts anyone at risk. They lucked their way into their position and are now moving up the ranks.
To such a person, your little “security research” adventure is the difference between a great day pretending to look busy and a terrible day actually being busy explaining themselves to higher ups (and potentially regulators) and get a bunch of unplanned work to rectify the issue (while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through - now that there is a paper trail they have to act). They absolutely have a reason and incentive to blame you and attempt legal action to distract everyone from their incompetence.
The only way to be safe against such retaliation is to operate anonymously like an actual attacker. You can always reveal your identity later if you desire, but it gives you an effectively bulletproof shield for cases where you do get a hostile response.
> while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through
Even if they do care personally (which I would assume is often the case if the respect person is not an ignorant careerist), they often don't have the
- organizational power
- (office-)political backing
- necessary very qualified workforce
to be capable of deeply analyzing every line of code that gets deployed. :-(
The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.
Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.
[0] https://www.justice.gov/archives/opa/pr/department-justice-a...
Without any sort of formally posted bug bounty program explicitly authorizing this sort of activity the CFAA prohibits unauthorized access of "protected computers". I would classify this as legally risky. If FIA had a stick up their ass they could definitely come after the researcher. The researcher's ethical standing is pretty clean in my book, but this was definitely a little more than just changing a URL parameter (only a little more). I would say this is unsafe to do if you are in the united states. The stopping point was somewhere around "I think I could provide the admin role" and reaching out to the best contact you can find and say "Hey, I am an ethical white hat security researcher and I noticed X and Y and in my experience when I see this there is a pretty reasonable chance this privilege escalation vulnerability exists. The chance it exists is high enough in my experience that you should treat it like it exists and examine your authorization code. If you would like I can validate this on my end as well if you give me permission to examine this issue. I am an ethical security researcher" ---> point over to your website and disclosed issues if you got em. To just do it is ehh... I would not take the risk. However if I /did/ do it I would definitely disclose it to them immediately and give an explanation like the above. Shooting the messenger in this case would be pretty asinine, especially if they didn't access anything sensitive, that would preclude FIA from having any evidence you did anything sketchy (cause you did not). The reason I would not do it is because you never know if a system like this pre-fetches data, etc. and that is definitely opening you up to liability of possessing PII etc. Overall, I have disclosed issues like this in the past without actually exploiting the issue to good results. Some times companies ignore it. You can always say "If you do not want to treat this issue as a vulnerability I am going to write this up on my website as an example of things you should probably not do" if you feel ethically compelled to force them to change without actually exploiting the issue. People tend to get the message and do something.
I'd highly recommend adding some newlines to such comments. Walls of text are not fun to read.
Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.
Decline because it'd mean you were profiting off of a crime? Or that the opportunity of publishing has higher value than the bribe?
Decline because the public deserves to know the company has that approach to security.
Thanks, its cool to hear attitudes have changed.
When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.
This seems depressingly common in universities. I know of a case where someone discovered anyone with a university account (so students, etc.) can edit DNS, and the IT tried to file charges until the head of CS department intervened.
Many years ago when I was at school, I found a paper on a table in the computing library with a list of root passwords for some of the machines at Yale, just sitting there. I tried one and it was valid (this was the old days when remote root logins were a thing). I sent the admins a message telling them, and I was entirely ignored. A month later I tried the password again and it was still good. Luckily for me, I guess, it was before the days of suing people for trying to be helpful.
my favorite type of hacking. reading the js an modifying the PUT. Works a lot more often than you expect.
Archaic company has archaic security. Well done on the RD, but boy does it not surprise me one bit. Would almost be willing to bet that the hash was MD5 too.
It's an F1 racing site, their job is literally to move fast and break things. https://xkcd.com/1428/
No, this is the FIA[1], not Formula 1. They are very very different organizations.
[1] https://en.wikipedia.org/wiki/F%C3%A9d%C3%A9ration_Internati... https://en.wikipedia.org/wiki/Formula_One_Group
You break things in F1, you lose. Reliability and consistency is key.
It seems like this, but it actually not true. What's interesting in F1 is that you have to find the right balance between innovation and consistency.
James Vowles, current Williams TP ordered his team to "break everything" in order to improve and change: https://youtu.be/nYzwvTSffiY?t=3129
What is often forgotten is, that all F1 cars are prototypes, they NEED to constantly change and innovate, and every year it starts from the beginning (almost).
There is a fantastic book called Total Competition, which is a conversation between two ex-team principles, one of them Ross Brawn, probably most successful F1 engineer. In it, Brawn says: "But where I think Formula One is very strong is in the culture. If you wanted to develop a concept and to drive things forward at maximum pace, utilize it in Formula One. The composite companies love Formula One because we are willing to try things. If they’ve got a new resin system or a new type of fibre, they give it to the Formula One teams to explore for them, to look at the applications and come back with the feedback. If they put it in the aerospace industry, five years later they would have an answer. Put it into Formula One and five months later they have got an answer"
Apart from the many many times where a teams R&D department has come up with a radical new idea for a machine part which gives them an advantage, and then all the other teams copy it making it the new standard. This is how F1 has evolved forever, by taking risks and experimenting. Not by reliability and consistency!
What hash do you use?
bcrypt is the industry standard.
`bcrypt` is probably the "standard" in the sense that it has the widest adoption, but since 2015 [1] the "standard" in terms of what you should recommend for new work has been `argon2id` (and you can find parameter recommendations here [2]).
[1] https://en.wikipedia.org/wiki/Password_Hashing_Competition
[2] https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...
Also argon doesn't care about input length compared to bcrypt which only ever compares the first 72 bytes of a hash. Okta actually fell victim to this because they concatenated userid + username + password. If userid + password were over 72 bytes then the password would never be checked thus you could login with userid + username.
https://trust.okta.com/security-advisories/okta-ad-ldap-dele...
im 1337 - I use plain text stored in a public s3 bucket
yescrypt is very common these days, default in Debian
Strange, the site is run by an Ian Carroll, but the examples show Sam Curry, who is a very famous bug bounty hunter.
From the post:
"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."
if you look at his other posts, it looks like they collaborate often.
Imagine being a world class F1 driver and (someone) still have to upload your CV somewhere.
well at least it was a password hash :D
Don't get too excited. They never said what kind of hash. Given the rest of the site's security design, might have easily been unsalted md5
Or maybe rot26 — I've heard it's twice as secure as rot13!
It’s 2025, you should at least be on rot52.
Best practice guide: https://github.com/killerk3emstar/rot52
Ah, thanks! Hard to keep up with this stuff. Next thing you know the boffins will tell us we need to switch to rot104 or even rot208 because of "post-quantum cryptography" or something.
There's probably another rockyou out there waiting to happen
responsible disclosure made you no money and even after that blogpost you still have to take the l33tcode interview
[dead]
[flagged]
As pointed out, this is unrelated to GDPR.
Many countries in Europe require you to register with the local police any visitors you are hosting and pay a visitor's tax: this is why hotels would ask for the same documents too.
GDPR should help ensure they only keep the passport data until they complete the registration, and then remove it after some time or at your request.
They may have said that process was related to GDPR, but that was either a lie or someone with so little understanding for basic laws that I wonder about their capability to conduct business at all.
Everything about this is prohibited and discouraged under GDPR.
All hotels I stay at in all countries require my passport. OK, not the usa but there they want my driver's license.
You were lied to.
Just use a framework to build your site. Don’t reinvent the wheel!
There are some vulnerabilities frameworks can address wholesale (like CSRF or XSS) as long as you keep to the blessed way of doing things, but they aren't able to save you from a complete failure to build authorization into your API. Like how seatbelts save lives but can't stop you from accelerating directly into a pole if you choose to do so.
Mass assignment problems sometimes also come from (improper?) use of frameworks. This goes beyond frameworks and more about how thorough the testing and review of how the user account modification and access control is done.
> Just use a framework to build your site. Don’t reinvent the wheel!
How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?
He’s being sarcastic and suggesting using some out of the box rbac thing.
i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.
But maybe do that on a smaller scale personal project?
Great to reinvent the wheel for your mom and pop blog, or to teach yourself these concepts and try to break in. But not for authn and authz for something official like this.
Reinventing the wheel for Formula 1 driving…
Depending on the wheel, maybe. Nowadays it's more standardized - same rims for example. The tires are standardized.
There's a lot less freedom in reinventing the wheel in formula 1 nowadays
https://www.formula1-dictionary.net/wheels.html
The steering wheel of course isn't even a wheel anymore, for a long time. It's some video game console / airplane cockpit looking monstrosity.
It can. But it can be very bad at producing wheels that don't break.
Not if you understand how the wheel works. That's the whole point.
I funnily just read a whole Twitter thread that had this same thesis, not 45 minutes ago... What a small world