Comment by andrelaszlo

6 days ago

Last year I found a vulnerability in a large annual event's ticket system, allowing me to download tickets from other users.

I had bought a ticket, which arrived as a link by email. The URL was something like example.com/tickets/[string]

The string was just the order number in base 64. The order number was, of course, sequential.

I emailed the organizer and the company that built the order system. They immediately fixed it... Just kidding. It's still wide open and I didn't hear anything from them.

I'm waiting for this year's edition. Maybe they'll have fixed it.

1 comment

andrelaszlo

master-lincoln 5 days ago

And you are not worried enough about other users that you reported the compsny or at least name them here?