RE: infosec.exchange/@SecureOwl/11…
This is one of the most insane #infosec things I’ve seen in all my years of byteing bits.
Mike bought internaluser.com and
service-account.com and chaos has ensued. The sheer volume of Personal Information he’s been able to harvest, including the ability to reset passwords with no MFA is astounding.
On the one hand, I’m boggled that nobody has done this before now, and the other hand, I am gobsmacked at how bad security and data sanitation is managed at some really large and important companies.
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D
reshared this
craignicol reshared this.
craignicol
in reply to MissConstrue • • •@gdinwiddie have people forgotten how soft delete works?
And these systems were built before vibe coding, so these are the people expected to find the bugs in generated code?
🤦