I have done consulting gigs all over the world for security testing, and I frequently travel to speak at international conferences.

Here’s a story about how I found a vulnerability that could have allowed me to steal the private information of over 100 MILLION people. This is by far the biggest (in the number of people) hack I’ve ever done… and it wasn’t even for work.

Not too long ago I was planning on traveling out of the states for work, so I needed a VISA.

If you’ve ever applied for one you know that some countries pass this service off to 3rd party providers to do. This one did not. They had a government office and website to do passport verification, and application to get a VISA.

I did the whole thing. I created an account, uploaded all my passport info, answered personal questions, uploaded photos, etc.

Somewhere at the end of the process was asked if I wanted to pay for a “rush” service. I did. I needed this asap for work travel. I also entered my credit card info.

Towards the end of the application process, I was given a link to check my order status, something like:

https://threat.dev/app/orderCheck

This page prompted me to log in using the credentials I had set up earlier. Then it redirected me to my account section where I saw my order status. On the page, I noticed I could print the order application with the click of a button.

I hovered over the button and the link looked like so:

https://threat.dev/app/printApplication?id=105608983

Clicking this button returned a printable page of all my info referenced above.

So… even when I’m not working, my hacker brain never turns off.

That number, 105608983… What if I changed it to 105608982? The number right before me?

Surely the application would recognize that was not my id, right?

Unfortunately, for me and all the applicants before me, the answer was “No”. Requesting:

https://threat.dev/app/printApplication?id=105608982

returned another user’s personal information. Big sad.

This type of web vulnerability is typically called an IDOR (an Insecure Direct Object Reference).

I found this bug totally outside of work, so I started to get very nervous about finding such a big bug on a gov site where I was traveling. I had to find a way to responsibly disclose it without getting in trouble. I reached out to several friends in the information security scene. Luckily one of them knew of someone who worked in Cyber Security for that government. They asked that I pass along a written report. I did and then worked with them to retest the issue once a fix was put in place.

I discovered 4 more vulnerabilities in this process, one of which was that the database was being backed up in a tar file to the same place user images were being uploaded. This share had no authentication on it. The database had credit card numbers in it. Big Sad #2. If you’re a security tester reading this, always check /backup or check for backup zip/tar files.

In the end, they were thankful for the disclosure and my work. My travel went without a hitch.

I didn’t even get a t-shirt but, I might have saved your personal data from evil hackers.