Massive 50K Australian Student Data Breach

Lbabyshark-vic on 07/09/2019 - 16:20

Not sure why this isn't getting the coverage it should, but long story short, I do undergrad research on companies that experience data breaches, and how they respond in the coming months/years.

I came across Get (https://useget.com) after a society advertised their memberships on the platform at my campus. Using their search function on their website, I searched for the society. I mis-typed the society name, and instead got results of a list of people who had similar names. I was intrigued, and wondered if I could search for a specific person. I typed in a friend’s name, and surely enough, their name appeared alongside a list of societies they followed. It seemed a bit strange that I could find people who I didn’t know, and discover their interests (especially considering societies sometimes help members with sensitive topics, and may wish to remain anonymous).

I decided to look into the API’s that the service used to find the information that was being sent back and forth from Get’s servers. An API is simply a set of functions that services use, to communicate with servers and display results.

The search function API not only disclosed full names, but associated emails, phone numbers, date of births, Facebook ID’s, for all the users on their platform.
https://i.redd.it/ve7o18byb3l31.png

More worryingly, the service was available without the use of any tokens, meaning it was available to anyone, whether or not they had signed up to Get, and the data seemed to be for ANY user (even if they never signed up, but someone purchased a ticket for them). This seems to contravene their terms of service. As of writing, the data is easily visible on the Get site (also visible at https://reqbin.com/fbjt0bsy)

There is also copious evidence of a range of SQL injection attempts (https://reqbin.com/xamf5fjb), some of which disclose the schema of the Get database, indicating some of them were successful.

There are a range of other poor practices, such as ID enumeration, event detail disclosure (such as the number of paying attendees, hidden ticket types, and others) and others.

I tried reaching out to them, but haven't gotten any response. It seems a lot of data is from the UNSW (where they started?) Any ideas?

Internet

Related Stores

useget.com
useget.com

Comments

  • [Deactivated] on 07/09/2019 - 16:26

    Notice how no one hacks bank, something actually useful to breach

    • babyshark-vic on 07/09/2019 - 16:36
      +2

      To be honest, this is the next best thing. Mobile numbers and names alone are pretty scary to have, let alone DOB, and anything else you could find online. If you have enough datapoints, you could easily call service providers, hop up the foodchain until you basically knew everything about that person, to get access to bank accounts, etc

      • [Deactivated] on 07/09/2019 - 16:38

        It would be extremely hilarious if someone hacked my details and just called me up to say hi

        • bajillionaire on 07/09/2019 - 18:34
          +5

          Or port your number to a different SIM and get any one-time passwords to your banking login sent to another phone.

    • ribze1 on 07/09/2019 - 22:33
      +1

      The Banks would spend millions a year on cyber security. A massive hack would destroy their reputation.

      • Diji1 on 07/09/2019 - 23:55
        -2

        Your imagination is wrong.

    • Diji1 on 07/09/2019 - 23:59
      +1

      What in God's name makes you think no one hacks banks?

      Oh wait, you think commercial news carries bad stories about their biggest advertisers.

      • [Deactivated] on 08/09/2019 - 08:33
        -3

        You dont hear about it because it doesnt happen, the only places getting hacked are some old desktop still using the default password

  • blighst on 07/09/2019 - 16:26
    +1

    Wow, pretty serious breach in privacy and security, pretty amateurish mistakes… - although interesting choice to share on ozbargain haha (I guess plenty of students use it)

    • babyshark-vic on 07/09/2019 - 16:36
      +1

      Haha trust me, every student I've ever met has been on this site. Noodles don't cut it sometimes ;)

  • forrester on 07/09/2019 - 16:40

    Thanks for sharing this - it should make all of us think twice before sharing our sensitive information to anyone, especially on the internet.

  • kahn on 07/09/2019 - 17:51

    iforgotmysocks: What did your teachers say when you asked them?

  • Ryanek on 07/09/2019 - 18:09
    +1

    Yikes, that's pretty bad. Their data protection officer is going to have a badddd week.

  • fishball on 07/09/2019 - 18:54
    +2

    I get 403 when I tried, maybe it just works for logged in people.

    Still though, atrocious security.

    • Sage on 07/09/2019 - 19:09

      I signed up and still get the error.
      Can't figure it out, even with OP's tip off.

  • No Username on 07/09/2019 - 21:31

    This reminds me of when I found an exploit on Facebook. Essentially you had the ability to login to any random Facebook account as long as you could generate the correct ID (Not Profile) in the URL. However, this was 8 years ago and has now been patched.

  • t_c on 08/09/2019 - 07:35
    +2

    Back end dev probably put on thier resume 5 years experience but really meant 1 years experience times 5

  • stepanovay on 08/09/2019 - 09:38
    +2

    The company used to be called Qnect and had been hacked because of shoddy data practices before.

    https://www.businessinsider.com.au/the-federal-police-were-c…

  • WilliamPowerfish on 19/12/2019 - 16:52

    There is a University in Sydney (not the UOS) where you can purchase any current/previous students transcripts, order a copy of their degree / certificate, doctorate… it was reported and no action taken. It blows my mind.

Login or Join to leave a comment
Login Join