Home > Paid Traffic Sources > Mobile

Santa won't visit you if you do this ... (7)

08-25-2011 07:27 PM #1 ppchound (Member)
Santa won't visit you if you do this ...

So I was cruising around BuzzCity.com, but not in a gay way.

After you spend your silver shilling with them, they give you a link with which to admire your forthcoming advertising genius. This takes the form of a url thus:

Code:
http://ads.buzzcity.com/adtest.php?partnerid=xxxxx
where xxxxx is your latest campaign. Now, this is what we programmers refer to technically as 'totaly shit security' or tss. Because (and you're already racing ahead of me aren't you?) if you were to substitute your campaign number with a number earlier than yours you *cough* could 'in theory' spy upon your predecessor's campaign creatives and lander links. Basically outing everyone's stuff, if you were to fire up ubot in a tequila-filled haze of vengance.

But nobody here would risk Santa's wrath by actually doing this now would they?

Seriously though, I've mentioned this to BuzzCity and they've ignored me. I never like "I'll show you mine if I'll show me yours" when I was at school (especially with the janitor), and my opinion hasn't really changed much. This technique is a two-way street so ...

Use this totally hypothetical information wisely young Jedi ....

Oh, and you don't event have to be logged onto their system to do this. Now that's quality with a capitol 'K'!

08-25-2011 08:53 PM #2 customs (Member)

Shit... Think twice before submitting your data to them. Briefly tested with sqlmap and got this: "target url is UNION injectable with 4 columns"

That means any wannabe idiot can access their database and download YOUR data, including sensitive info.

08-25-2011 09:44 PM #3 Mr Green (Administrator)

Wow that is horrible form by buzzcity.

08-25-2011 10:28 PM #4 The Angry Russian (Moderator)

If you can game buzzcity then you should do it.

Get in, hit hard, then get out and count your stack.

08-25-2011 10:42 PM #5 abcd (AMC Alumnus)

Quote Originally Posted by customs View Post

That means any wannabe idiot can access their database and download YOUR data, including sensitive info.
Indeed, think twice before you store any info (personal, financial). The mentioned vulnerability is very simple; hard to believe that this still happens in 2011 ! If their development team makes mistakes like this; there are probably more vulnerabilities.

08-26-2011 04:18 AM #6 vidivo (Member)

tried to sniff out a few campaigns but everyone had no active campaigns running... lol bad luck for me

08-26-2011 06:12 AM #7 The Angry Russian (Moderator)

Yeah I created a script didnt find anything worth my time.

Home > Paid Traffic Sources > Mobile