After registering for Defcon, one of the world’s largest hacker conferences in Las Vegas, Brandon Forbes aka “Reznok” received a confirmation email with a link to his online ticket. It looked like this:
hXXps://def-con-merchandise[.]guestmanager[.]com/viewer/orders/3791
And guess what: Of course, 3790 and 3789 worked the same way, except that they provided the data of other participants. Such links, where simply changing a number, provided access to the personal data of third parties, reached the heise Security editorial team by the dozen in the past few months. Many of them were from corona rapid test centers, for example, which made the test results accessible online.
If one can perhaps understand that the operators lacked technical know-how and that they had different priorities at the height of the pandemic, then there is less understanding for the organizers of the traditional hacker conference. To save her honor, however, it should be mentioned that the operators of the ticketing system responded promptly to his advice and added an additional authorization token to the link, explains Reznok in his blog post.
(ju)
