Vulnerability on the site Dom.ru, allowing to obtain personal customer data
I must admit, I myself was surprised by this situation. I’m never a sysadmin at all, I’m not writing code, and I even work in a field very far from IT. In short, I am the manager. Sales of industrial equipment. However, I like to pick Linux (I can't help but admit to calculate-linux ) and play Windows.
So, today (at the time of publication of the publication in the Sandbox) 31 numbers, it's time to pay for the Internet. After wandering through the site of my provider Dom.ru decided to see the statistics. This is where the fun began.
I noticed that my username is lit in the address bar of the browser. Immediately I was seized by the itch of the researcher and pentester. I just changed one digit of my login in the browser line (not even a debugger) and saw someone else's statistics with full name, contract number. In the next couple of minutes, I found some more valid contracts (if I understood correctly, they return an error if there is no login in the system).
Several screenshots in confirmation of my words:
')
Naturally, I wrote to the provider to the mail from the left mailbox registered from under an anonymous proxy. In our country, such curiosity can be punished.
So, today (at the time of publication of the publication in the Sandbox) 31 numbers, it's time to pay for the Internet. After wandering through the site of my provider Dom.ru decided to see the statistics. This is where the fun began.
I noticed that my username is lit in the address bar of the browser. Immediately I was seized by the itch of the researcher and pentester. I just changed one digit of my login in the browser line (not even a debugger) and saw someone else's statistics with full name, contract number. In the next couple of minutes, I found some more valid contracts (if I understood correctly, they return an error if there is no login in the system).
Several screenshots in confirmation of my words:
')
first customer
second customer
third customer
Naturally, I wrote to the provider to the mail from the left mailbox registered from under an anonymous proxy. In our country, such curiosity can be punished.
letter to provider
Source: https://habr.com/ru/post/249513/
All Articles