Hacker News: How I pwned a major New Zealand service provider

Mar 27, 2025

—

Source URL: https://mrbruh.com/majorprovider/
Source: Hacker News
Title: How I pwned a major New Zealand service provider

Feedly Summary: Comments

AI Summary and Description: Yes

Summary: The text shares a detailed account of discovering and responsibly disclosing a significant vulnerability in a New Zealand app, KiwiServices. This narrative emphasizes the importance of security testing, responsible disclosure practices, and the potential consequences of data exposure, providing insight valuable to security and compliance professionals.

Detailed Description:
– The text presents a first-person account of discovering a security vulnerability within the KiwiServices app, which is indicative of poor security practices during its development.
– A detailed methodology was employed for penetration testing, showcasing the process that led to the discovery of sensitive user information potentially accessible due to a lack of input validation.
– The incident highlights several critical aspects related to application security:
– **Testing Environment**: The author used a rooted phone and HTTP Toolkit to examine the app, indicating a practical approach to security testing.
– **Request Manipulation**: The author discovered that user data could be accessed by manipulating HTTP requests, showcasing potential risks associated with API design.
– **Responsible Disclosure**: The author effectively communicated the vulnerability to the company, leading to a fix within a reasonable timeframe, which underscores the importance of responsible disclosure.
– **Timeline of Events**: A clear timeline tracking the discovery, reporting, fixing, and disclosure represents diligent documentation of the incident.

Key Points:
– **Vulnerability Discovery**: Demonstrable access to user data through manipulation of API requests.
– **Responsible Disclosure Process**: Engaging with the company and achieving a resolution within a short period suggests the effectiveness of responsible security practices.
– **Implications for Security**:
– Application developers need to ensure robust input validation to prevent unauthorized data access.
– Organizations should implement and adhere to responsible disclosure policies, as they encourage collaboration between ethical hackers and security teams.

This account serves as a powerful case study for security and compliance professionals in recognizing vulnerabilities, the importance of prompt action, and the benefits of maintaining clear lines of communication in cybersecurity incidents.

a access account Act AGI AI and API app Application application developers application security as by C CI CIA CleaR co Col collaboration communication compliance compliance professionals core critical cyber cybersecurit Cybersecurity cybersecurity incident cybersecurity incidents D data data access data exposure de demo design developer developers development disclosure disclosure policies document documentation e effective effectiveness environment ethical event exp first for g Gen H hack hacker Hacker News hackers high Highlight HR http HTTPS implications in incident information input validation Iron IRS J k Key l Labor land led Li man manipulation N Narrativ news NPU o of on one OPM organization organizations over penetration testing point policies porting potential potential risks Power pre process professionals prompt Q R rack rag RCE red report reporting resolution responsible responsible disclosure responsible disclosure practices responsible security practices Risk risks Ro Root s sec security security and compliance security incident security incidents security practices security teams security testing security vulnerability sequence service services SHA short Sig SoC source SSE SSO study T Teams test Testing text the Time to tool toolkit TP tracking unauthorized data access under US use user user data user information uth V val Validation vents vulnerabilities vulnerability vulnerability discovery Wi x