We found the bug in how Vetco generates PDF documents for its customers. Its PDF page was public and was indexed by Google, which is how we found it. Worse, an IDOR bug in the URL meant it was possible for anyone to obtain customer data by changing the customer's unique ID by a single digit. 馃う
Discussion
Loading...
@zackwhittaker This is terrible. My dog isn鈥檛 very good with #cybersecurity and uses her owner鈥檚 name as her #password. I tried giving her a password wallet but she just buried it in the back yard.
@zackwhittaker I think that the most shocking thing to some pet owners would be finding out that their pet has a better credit score than they do.
We found the bug in how Vetco generates PDF documents for its customers. Its PDF page was public and was indexed by Google, which is how we found it. Worse, an IDOR bug in the URL meant it was possible for anyone to obtain customer data by changing the customer's unique ID by a single digit. 馃う
@zackwhittaker Enumeration - gee that was hard.. wonder if they messaged customers saying "we take the security of your data seriously"
@zackwhittaker That is a very bad design. I hope they will get fined for this by the privacy authorities.
