Zum hauptinhalt springen

Schlagwort: lang_en

How we tried to book a train ticket and ended up with a databreach with 245,000 records

A model of a steam locomotive with French and German flags,a Trans-Europ-Express wagon attached. The train is losing tickets

To celebrate Franco-German friendship, German Transport Minister Wissing and his French counterpart Beaune came up with something special: 30,000 free Interrail tickets per country for travel in Germany and France for young adults between 18 and 27. Codename: “Passe France Allemagne”

However, many things went wrong when the Interrail passes were distributed. In the following, we want to take you on a journey through the stages of the not-so-well-implemented ticket and show you how you could still get a pass after registration ended.

And while we’re on the tracks, we’ll also have a look at a security breach in a similar project at the EU level. Implemented by the same agency - which left the data of about 245,000 registrations almost unprotected on the web.

Please stand clear of the doors – we’re departing! 🚄🚃🚃🚃🚃

Presents versus privacy

Burning gift box between building blocks

On the Internet no one knows you’re a dog creating content – but everyone knows you love support from your fans (whether in the form of technical devices, energy drinks or feed). However, it’s not a good idea to leave your home address online where overzealous fans or malicious stalkers might find it. For this reason, services have emerged that seek to enable creators to receive physical gifts without compromising their privacy.

But how good do they actually protect your address? Let’s have a look…

⚠️ Warning: do not use Hive Social 👉🐝👈

Beekeeper opening a beehive, colorized, 2022

Update: The vulnerabilities are currently no longer exploitable because Hive deactivated their servers. More details

Following the Twitter takeover, a number of services promising to be an alternative gained traction. One of those is “Hive Social”, which reached more than a million users in the last weeks.

Of course, we were interested and took a look at Hive from a security standpoint. We found a number of critical vulnerabilities, which we confidentially reported to the company. After multiple attempts to contact the company we finally reached them by phone and they acknowledged the report. After multiple days and multiple reminders by us, they claimed to fix them within the next two days. However after those two days, multiple vulnerabilities we reported were not fixed and still existed at the time of writing.

⚠️ We strongly advise against using Hive in any form in the current state.

Please create good tiktok(-analyse)s

Once again a report about TikTok is going around. We have read it carefully: It’s mostly nonsense. Let’s have a look at the claims one after the other

The amazing tale of a test certificate and the Unix timestamp that traveled through time.

Now let’s move on to sports: the whole world is talking about the test certificates of a tennis player right now.

Novak Đoković is a serbian tennis player who recently entered Australia – without vaccination, but with two PCR test certificates. A positive test result from December 16th and a negative test result from December 22nd. He is therefore considered to be recovered.

With this he got a special permit to enter the country unvaccinated – but this permit was then considered insufficient when he entered the country. In the meantime, however, a court has allowed him to enter australia.

In cooperation with SPIEGEL, we took a look at the court documents and tried to understand the technical details. 🕵️

Gorillas: Special offer - unicorn slices, 150g 🦍❤️

Gorillas Advertising with the slogan 'Just going check gorillas one more time, then I will put the phone away... oh nice, cinnamon buns' but 'cinnamon buns' is replaced with 'data'

We felt more like “Oh fuck, Databreach”

During the pandemic, grocery delivery services gained popularity. New players on the market offer delivery in under an hour. One of them is Gorillas, which not only delivers apples and granola bars in 10 minutes, but just as quickly delivered the data of all its customers.

How could this happen? Unfortunately, it was once again much too simple. But let’s start at the beginning:

No one else was in the room where it happened - disturbing the clubhouse peace


What happened so far …

In our first thread on Clubhouse (in german) we had only taken a superficial look at Clubhouse.

We saw that Clubhouse uses an external service provider called Agora.io for the voice call functionality. Agora.io is also used by many other apps, including a therapy app. In the thread we found that, among other things, we can easily listen to a room without being displayed to the other room participants if we communicate directly with Agora.

Conversely, you can also be displayed in a room without listening. However, this is not really a problem - after all, even outside Clubhouse you are often present in conversations without really listening.

… and what happened next …

Clubhouse really likes your phone book

Dieser Artikel ist auch auf Deutsch erschienen.

tl;dr: Every time you open the invite tab, clubhouse uploads all the phone numbers from your address book.

Clubhouse is currently invite-only, which is probably part of the current hype. To invite someone you have to give Clubhouse access to your address book. This has been criticized several times. There has been a lot of discussion about how Clubhouse uses this address book data. We took a look and document how clubhouse currently uses the data from your address book and how it could be done better.