Identify data leak (personnal details + partial credit card details) on wrongly implemented (and badly secured) websites using the payzen lib.
- First contact: 2022-12-09
- Status: acknowledged
Identify a debug plugin activated that can provide database credentials when exception is generated
- First contact: 2022-12-03
- Status: acknowledged
Identify an unsolved data leak that can allow a person to use the reward of another person
- First contact: 2022-09-05
- Status: reported
Identify an SQL injection vulnerable service and multiple information exposure.
- First contact: TBD
- Status: domain deactivated
Identify an SQL injection vulnerable service.
- First contact: 29th July 2021.
- Status: WIP
Identify an accessible installation plugin page that could allow to insert external content on an institutional website.
- First contact: 28th July 2021.
- Resolved: 28th July 2021.
Identify two leaks of personal data that allow to retrieve the user database through simple pagination (completely in the first case, partially in the second case).
- First contact: 21st July 2021 + 25th July 2021
- Resolved: 23rd July 2021 + 26th July 2021
Identify a deprecated (but still used) domain not renewed. PoC (traffic + email catchall) that domain acquisition could create confidentiality, privacy and security issues. Domain is being transfered back to CTM.
- First contact: 20th June 2021.
- Resolved: between 2021-10-04 and 2022-02-19. Following recommendation, CTM installed a security.txt.
Identify the leak of personal data through dorking.
- First contact: 13th December 2020.
- Resolved: ?. No answer from Orange. Problem looks fixed and robots.txt was added as recommended.
Web, SFR Caraibes
Identify the leak of personal data when, while being loggued, through a modified query to a webservice. Found a sha1 password sent on the account page. Confirmed and solved.
- First contact: 4th September 2020.
- Resolved: 9th september
Identify the leak of personal data when, unlogged, through a modified query to a webservice. Confirmed and solved.
- First contact: 25th June 2020.
- Resolved: 26th June 2020.
Web/Internet gateway, SFR
Report 6 vulnerabilities (at least 1 already reported) on the SFR gateway. Reviewed, asked to test the next beta version.
- First contact: 8th June 2020.
- Status: 2 of the 6 vulnerability have been fixed.
Web, espace sud
Report the installation of a variant of the malware crypper on their website. Confirmed and solved.
- First contact: 28th November 2019.
- Resolved: December 2019
App, Carrefour Martinique
Identify that the fidelity customer QR Code is an ID. Report shows it is possible to generate an ID, use it at the point of sale and 1. uses the credit associated to that user to pay for groceries, 2. obtain personal data on that user. Confirmed and solved.
- First contact: 16th September 2019.
- Resolved: 16th December 2019