Pick n Pay exposed delivery customer data online

mpdjhb said:
Which is exactly what I said - in this case it was a rookie error.
Click to expand...

This wasn't a rookie error at all, this is just down right negligent really.

That sort of data, stored behind a sequential order number and open to the internet is not a rookie error that could slip through the cracks because its in some obscure part of a complex system, this is basic security stuff.

This sort of thing needs ridiculous penalties applied to it.

**EDIT** and I'm also of the opinion the penalties shouldn't be some sort of fine that gets paid over to the government or regulator, the companies responsible should compensate each individual person whose data was potentially exposed via negligence like this a significant chunk of money (like R5k or R10k)... with something of that nature in place we'd see basic security practices properly implemented in very very short order.
 
Last edited:
mpdjhb said:
Which is exactly what I said - in this case it was a rookie error.
Click to expand...
It's not an error to overlook any form of security. It's kinda more like pure negligence.
Dont get me wrong, not really disagreeing with you, just feeling that they are guilty of negligence as in the sense of making them responsible.
Would love to see on their development plan where security was considered and how the came to the decision to not add security.
 
_TrXtR_ said:
It's not an error to overlook any form of security. It's kinda more like pure negligence.
Dont get me wrong, not really disagreeing with you, just feeling that they are guilty of negligence as in the sense of making them responsible.
Would love to see on their development plan where security was considered and how the came to the decision to not add security.
Click to expand...

I believe its a conscience decision for most companies as there are no real repercussions so why expend the resources to meet certain standards?
 
B-1 said:
I believe its a conscience decision for most companies as there are no real repercussions so why expend the resources to meet certain standards?
Click to expand...

Largely this in my opinion.

There will be some negative sentiment for a short while and then people will forget about it and move on and still keep using the service anyway.
 
Who are these developers, i mean here I coded a cashless point of sale system over a festive holiday and you will be hard pressed to find a security flaw... Kontantloos.com

Tells me they never even cared to think about it which makes the entire system suspect as fook.
 
Skankhunt said:
Well Dawn Wing’s website runs on WordPress which is a security risk by itself.
Click to expand...
Nothing wrong with WordPress its the plugins and changes that devs make that weaken the security. Vanilla WordPress is super hard to compromise.
Vanilla WordPress worth $100,000 bounty.

ZERODIUM - How to Sell Your Zero-Day (0day) Exploit to ZERODIUM

ZERODIUM is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity research. Our platform allows security researchers to sell their 0day (zero-day) exploits for the highest rewards.
zerodium.com zerodium.com

As for the vulnerability it is so simple to catch that I doubt they had a penetration test done on that web application.
 
  • Like
Reactions: Yuu
.
MickeyDangerez said:
Who are these developers, i mean here I coded a cashless point of sale system over a festive holiday and you will be hard pressed to find a security flaw... Kontantloos.com

Tells me they never even cared to think about it which makes the entire system suspect as fook.
Click to expand...

Seems you managed to get an F on a typical web based security analyser with some security issues dating back to 2019. What's your bounties like?
 
Is there not a legal process an organisation must follow when a breach like this occurs? (Such as notifying individuals their data was breached?)
 
Gordon_R said:
The bug was fixed, and no data was stolen, so 'it never happened'...
www.news24.com

Pick n Pay denies customer data was exposed online despite 'glitch' | Business

Pick n Pay says no one had access to customers’ financial, banking or other confidential information at any point, during a "small glitch".
www.news24.com www.news24.com
Click to expand...

"Last week our logistic partner experienced a small glitch which meant a link could be temporarily accessed if the correct sequence of numbers were known. No customer data was published online anywhere, and, as soon as our delivery partner was made aware of this issue, it was immediately fixed," said Pick n Pay.
Click to expand...

Though the data wasn’t intentionally published, it was publicly accessible. The question is rather whether the data was crawlable, hence cacheable and searchable, point being, was any exposed data discoverable?

This...

The retailer added that no one had access to the customers’ banking or other confidential information at any point.
Click to expand...

is irrelevant, did the retailer at any point in time take under consideration what people can do with this data? There is a lot to the data which can be exploited, enabling targeted crime.

It is good to know that improper roles and privileges are designated a glitch :rolleyes: All I know is that it must be remedied, and proper standards applied. Never a human error, always a system error...

Mybroadband have done good here, because neither the retailer nor their logistical partner reviewed this or audited this at any time, being proactive. We need more tips like these in the public.
 
B-1 said:
.

Seems you managed to get an F on a typical web based security analyser with some security issues dating back to 2019. What's your bounties like?
Click to expand...

Not sure what you're talking about doubt any online web analyzers capable of testing django also amazing auth security built in lol. Also the domain is a redirect so you are testing the redirect server and not the actual application

I also discovered a privacy violation when OLX exposed user cellphone number who chose to not make it visible.

Nobody cared...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X