PrivatBank and their action on finding vulnerabilities
Some time ago, or rather immediately after the new year, I came across a tempting offer from PrivatBank for searching for vulnerabilities , which stated that there was a chance to get up to 10,000 UAH for searching for vulnerability (Ex. 1250U)
He stumbled ... found nothing and scored on this case.
But after a while, it was possible to detect a vulnerability of the CSU type, thanks to which, it was possible to steal credit card data, cvv2, exp. All data in general.
I gave a link for the friend to the test, asked to drive in the left data, he drove in and the data I got.
On the face of vulnerability, thanks to which it was possible to do bad things, having on hand the data credit cards. That is, spammers will have no difficulty in assembling a database, given that the domain of a private bank, and even under https.
Initially, after sending the error promised 5.000 UAH (625U), there was no limit to joy. He continued to search for the service and soon found another CSU. Again sent.
')
and all ... silence ... correspondence was, but, as I was explained the whole thing in bureaucracy. Because of her mistakes corrected for weeks.
But what was my surprise when for 2 sent vulnerabilities (even if CSU, but thanks to which it was possible to steal data) adjusted the amount to 3,000 UAH (375 ye)
Is it a lot or a little. Overall, not bad. For half an hour - an hour of search - not bad.
Will I search further? I think no.
He stumbled ... found nothing and scored on this case.
But after a while, it was possible to detect a vulnerability of the CSU type, thanks to which, it was possible to steal credit card data, cvv2, exp. All data in general.
I gave a link for the friend to the test, asked to drive in the left data, he drove in and the data I got.
On the face of vulnerability, thanks to which it was possible to do bad things, having on hand the data credit cards. That is, spammers will have no difficulty in assembling a database, given that the domain of a private bank, and even under https.
Initially, after sending the error promised 5.000 UAH (625U), there was no limit to joy. He continued to search for the service and soon found another CSU. Again sent.
')
and all ... silence ... correspondence was, but, as I was explained the whole thing in bureaucracy. Because of her mistakes corrected for weeks.
But what was my surprise when for 2 sent vulnerabilities (even if CSU, but thanks to which it was possible to steal data) adjusted the amount to 3,000 UAH (375 ye)
Is it a lot or a little. Overall, not bad. For half an hour - an hour of search - not bad.
Will I search further? I think no.
Source: https://habr.com/ru/post/138429/
All Articles