"In a report shared with The Register ahead of publication, Munro said that exhibition patrons input their wristband ID into the company's website, and they are then taken to the images snapped of them that day, which can be downloaded. The format of these wristband IDs, which expire after 30 days, allowed for 26 million possible combinations, and Munro knew he could generate these easily using only a laptop."
"Armed with what he called a "broad" vulnerability disclosure policy for the brewer, he got to work seeing how much data he could access. Using Burp Suite, he deduced that the wristband IDs were converted into a hex string, which, when passed into Carlsberg's website, returned the corresponding visitor's images."
""Whilst sticking to the terms of the VDP, I was able to brute force 1 million wristband IDs in around two hours," said Munro. "It would be possible to gain access to all the valid wristband IDs in around 52 hours from one laptop. "From the sample of 1 million, I validated around 500 wristband IDs, so multiplying that by 26 means that there are around 13,000 people who use the interactive elements at the Carlsberg exhibition every 30 days, assuming all the letters are used.""
Carlsberg's Copenhagen exhibition stores visitor photos and names accessible by entering a wristband ID on the website, with images available for download. Wristband IDs expire after 30 days and use a format yielding about 26 million combinations. The IDs convert to a hex string that, when submitted, returns the corresponding visitor images. A laptop can brute-force approximately 1 million wristband IDs in around two hours and all valid IDs in roughly 52 hours. A sampled million returned about 500 valid IDs, implying roughly 13,000 interactive visitors every 30 days. Exposed data included names, images, and videos.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]