История изменений
Исправление mydibyje, (текущая версия) :
Они выложили письмо, которое отправляли.
https://luke.collins.mt/fh-email/
Для Ъ:
Subject: Freehour app is not secure
From: Luke Bjorn Scerri <l******@um.edu.mt>
Date: 19/10/2022, 16:36
To: "hello@freehour.eu" <hello@freehour.eu>, "Zach Ciappara" <z******@freehour.eu>, z******@gmail.com
CC: Luke Collins <l******@um.edu.mt>, Michael Debono <m******@um.edu.mt>, Giorgio Grigolo <g******@um.edu.mt>
To whomever this may concern,
I am writing to you on behalf of the University of Malta Capture the Flag Team. We are a group of Science and ICT students interested in cyber-security and we do vulnerability research in our free time.
What are CTFs?
Recently we analysed the free hour app for any security weakness.
The app was found to be vulnerable to several exploits with severe consequences.
List of issues (most severe first)
(redacted)
(redacted)
(redacted)
(redacted)
(redacted)
(redacted)
Some technical examples
Changing content displayed by the app for all users:
(redacted)
Disclosure of personal information
(redacted)
Here's one user from the response as an example, notice the sensitive information (which belongs to one one of the members of our team):
(redacted)
Next steps
These vulnerabilities pose a serious threat as they may result in not only the leak of your users' data, but also a malicious actor violating the trust users have in your brand by launching phishing attacks through your platform. As is customary, you have three months to resolve these issues before we publicly disclose them. We would also be eligible for a bug bounty, as is industry practice.
Changing the subject, as previously stated, we are interested in cyber-security and will be hosting free workshops and a competition throughout the academic year to help inform students on how to secure themselves as both users and online professionals. We would be grateful if you could provide us with an audience of stem students.
Note: We have restored the app to its original state very shortly after we took the demonstration footage. Attached to this email is a short video and a picture just to show our ability to change content displayed by the app.
We look forward to your prompt reply.
Thank you and best regards,
Luke Bjorn Scerri, Michael Debono, Giorgio Grigolo, Luke Collins
Attachments
create_ad.png
demovid.mp4
Исходная версия mydibyje, :
Они выложили письмо, которое отправляли.
https://luke.collins.mt/fh-email/
Для Ъ: Subject: Freehour app is not secure From: Luke Bjorn Scerri l******@um.edu.mt Date: 19/10/2022, 16:36 To: «hello@freehour.eu» hello@freehour.eu, «Zach Ciappara» z******@freehour.eu, z******@gmail.com CC: Luke Collins l******@um.edu.mt, Michael Debono m******@um.edu.mt, Giorgio Grigolo g******@um.edu.mt To whomever this may concern,
I am writing to you on behalf of the University of Malta Capture the Flag Team. We are a group of Science and ICT students interested in cyber-security and we do vulnerability research in our free time. What are CTFs?
Recently we analysed the free hour app for any security weakness. The app was found to be vulnerable to several exploits with severe consequences.
List of issues (most severe first) (redacted) (redacted) (redacted) (redacted) (redacted) (redacted) Some technical examples Changing content displayed by the app for all users: (redacted) Disclosure of personal information (redacted) Here’s one user from the response as an example, notice the sensitive information (which belongs to one one of the members of our team):
(redacted)
Next steps
These vulnerabilities pose a serious threat as they may result in not only the leak of your users’ data, but also a malicious actor violating the trust users have in your brand by launching phishing attacks through your platform. As is customary, you have three months to resolve these issues before we publicly disclose them. We would also be eligible for a bug bounty, as is industry practice.
Changing the subject, as previously stated, we are interested in cyber-security and will be hosting free workshops and a competition throughout the academic year to help inform students on how to secure themselves as both users and online professionals. We would be grateful if you could provide us with an audience of stem students.
Note: We have restored the app to its original state very shortly after we took the demonstration footage. Attached to this email is a short video and a picture just to show our ability to change content displayed by the app.
We look forward to your prompt reply.
Thank you and best regards, Luke Bjorn Scerri, Michael Debono, Giorgio Grigolo, Luke Collins
Attachments create_ad.png demovid.mp4