MisterSuperGod
Well-known Member
i wouldn't say useless. It would give members a little reassurance that he wasn't talking out of his ass. Which i for one believe he is.
A search on Tin Eye would reveal if he just googled the image and stole it.
MESO-Rx
Anabolic Steroids
Brewly - Worldwide Marketplace
- Thread starter Brewly
- Start date
i wouldn't say useless. It would give members a little reassurance that he wasn't talking out of his ass. Which i for one believe he is.
A search on Tin Eye would reveal if he just googled the image and stole it.
Mighty-mouse
Well-known Member
So I’m confused.... did he find a crack in the system and get customer info...... if so was he paid for the bounty..... or what’s going on
Edit
I’m 2 days alcohol free so my brain is not working correctly
Edit
I’m 2 days alcohol free so my brain is not working correctly
MisterSuperGod
Well-known Member
The claim of said crack was made. No official confirmation or proof has been presented that it happened. The same goes for the bounty even existing and being payable.
I would never disparage you guys with a message like that
Screenshot is easily spoofed and I'm not exposing addresses tied to us. It's a minor risk, but still one nonetheless.
MisterSuperGod
Well-known Member
I would never disparage you guys with a message like that
Screenshot is easily spoofed and I'm not exposing addresses tied to us. It's a minor risk, but still one nonetheless.
You can't edit out the sensitive bits?
You ain't got shit. It's okay. Everyone here pretends to be a self-made millionaire. You don't have to pretend. Be you.
Kingsmountain
Member
The only shit he has is the shit he talks.
This guy has probably never actually seen $10k in person much less be able to actually call it his own.
This fucker has lied again and again and again.
What makes you think he will do anything else?
He's too stupid to move along.
I'm only watching this thread to see him and DO dig the deepest hole Meso has ever seen.
Hell, they won't even need anyone to cover them up as they will probably do that themselves as well.
sierrak1lo
New Member
Personally, I've never placed an order and wished that the purchase involved a middle-man. You mean I can spend more to bring additional parties into my illicit dealings? For "convenience".
What a stupid fucking idea.
What a stupid fucking idea.
xgunx
Well-known Member
Well it should be the or one of the first addresses that the sites address has sent btc to. Unless there's a tumbler involved in which case there's gonna be some variables. Either way we can get a really good idea or the real idea.I would never disparage you guys with a message like that
Screenshot is easily spoofed and I'm not exposing addresses tied to us. It's a minor risk, but still one nonetheless.
Guys, I hope you realize this site cost many multiples of 10k to develop. I understand that it may be hard to believe for those not familiar with web development, though.
Here's a screenshot I spoofed in about 2 minutes. Anyone can do this
I could also just find an address with some money in it, send the link, and lie. But I'm not going to do that, even though there's no way you'd know I'm lying.
I rather be honest. Again, I am not going to post any addresses that can be linked back to us, and I'm not going to mix my coins around just to flex. It's silly.
That's precisely why I would never.
xgunx
Well-known Member
I agree anyone can forge a screenshot or find an addy with a nice balance.
I think you are exaggerating the price or paid way too much. But thats neither here nor there
Mighty-mouse
Well-known Member
Ahhemmmm I’m rich as fuck just look at all this bank[emoji23]
I mean it’s only like 74 bucks ..... but I got flaming hots bitches and just signed a gym membership for 15 months for 1750
Thread derailed this the underground not website building 101
Ok
Edit
1725 sar gym membership
Like 450 bucks
Hell yeah motherfucker!
"spend more"
Nope.
"What a stupid fucking idea."
See: DNMs
Why can't the AAS world have its own dedicated marketplace too? We already have tons of source sites and forums on the clearnet. Why not a whole ass marketplace?
Though, it seems like Brewly is not for you. And that's okay! Thank you for sharing your opinion and giving us a moment of your time.
combover
Well-known Member
can you hack the gibson thats all I wanna know?
Is this an ex boyfriend?
xgunx
Well-known Member
It can. But I'm not gonna tell you how to do it.
combover
Well-known Member
DirectBullet
New Member
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, December 10, 2020 5:42 AM, Juan <tracklifestats@protonmail.com> wrote:
Any updates?
Solving the issue is enough due diligence. If I'm not being paid, then I must write on the forums that Brewly and DragonOrdnance are not trustful entities and they don't keep their word. I won't notify any other vulnerability either.
Changing the tone, but I don't enjoy being laughed at.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:30 PM, Juan <tracklifestats@protonmail.com> wrote:
Thanks.
I'm sure I can be a valuable member of your team, not only as a security guy but in other areas as well.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:18 PM, Brewly.io <brewlyio@protonmail.com> wrote:
I understand, I am not talking about the bounty at this moment, though. We have to do our due diligence and verify your claims first. Regardless of that, we do want someone to come on, as I mentioned. Considering your history in this field, we think you're the right guy.
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:01 PM, Juan <tracklifestats@protonmail.com> wrote:
Those weren't your terms but I'm willing to compromise on 2500$ now and 7500$ over the months as a member of the team. That is as a sign of good gesture and for future business. I'm willing to compromise, but not for more promises.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:47 PM, Brewly.io <brewlyio@protonmail.com> wrote:
Email is fine with me! Like I said, I would like you to come on in an official, compensated capacity. I'll have to have our team look into the issue you outlined to determine your eligibility for the bounty.
That being said, we want someone in an official capacity. Perhaps a salary of 10k paid over the months? Direct from site profits of course. Remember, we only take 5% and to date have processed about 10k in revenue.
We are very serious about developing the ultimate platform, but we need to expand our team to do that. I think you're the right fit. Do you understand?
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:40 PM, Juan <tracklifestats@protonmail.com> wrote:
I can make a Wickr but email is fine too.
Does that mean that I should not expect the 10k? I understand the site is new, but those were your terms. I'm sure we can figure something out, but I would like some reassurance that I'm not going to work for free. I'm sure you understand.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:33 PM, Brewly.io <brewlyio@protonmail.com> wrote:
I understand. Is this your preferred method of contact or would you prefer wickr/something else?
We've love to have a dedicated vulnerability tester on board. As you can imagine, we launched less than a month ago, so site profits are still very tiny. That being said, I'm sure we can work something out so you can come on-board, in an official manner, and help us moving forward.
Thanks, again
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:56 AM, Juan <tracklifestats@protonmail.com> wrote:
Yes, work as a software developer and have been doing bug bounties for almost a decade now. Read the bounty on MESO and had to give it a try.
My guess is that the data is encrypted in the server but if there is a problem with the access control like this time, then it gets decrypted even if it should not as it is the wrong user. It can be solved by sending the encrypted data to the client, and encrypting-decrypting it client side. Then even if another client gets to the data, it's encrypted. Client-side encryption solves the problem, the only exception would be if they have access to the server and can change the script and code but those are the limits of client-side encryption. The impossible to hack is to PGP, that's is 100% secure but users are lazy.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:43 AM, Brewly.io <brewlyio@protonmail.com> wrote:
We'll be looking into it! Do you offer vulnerability testing services? We'd love to have you on board.
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:17 AM, Juan <tracklifestats@protonmail.com> wrote:
I don't plan on telling anything in the forums, don't care about that hahahaha You guys just made my family's Christmas.))))
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:16 AM, Juan <tracklifestats@protonmail.com> wrote:
Hey bros,
I found a vulnerability that allows me to see other customers orders and addresses.
Access directly to them from any user:
https://brewly.io/dashboard/orders/758278
Then simply ran a script trying numbers and the orders from your customers, this being one of the examples:
https://brewly.io/dashboard/orders/95856
You can register an user and access directly to any order even if it is not yours. To find those orders you just need to try enough numbers. Right now you have few users and orders. The attack would be as easy as trying numbers in the range all the time, and capturing all the addresses as soon as the orders are made. Order numbers can probably be obtained too from reviews or any other api.
I hope you guys keep your word and send the 10.000$ I can try to find more vulnerabilities in this site or in others.
My Bitcoin Address
bc1q28yv3l7cunlv78pd8kjw26k4nqywhkcap6y8wr
Terms are as follows:
Present to us exposed customer shipping information. Tell us how you managed to do it. You will be compensated 10,000 USD in Bitcoin. After we fix the issue (for everyone's safety), you have our blessing to tell the community and post the technical details of the exploit.
Good luck.
Here's why no one's ever getting that reward:
- Shipping info is encrypted with AES-256
- Shipping info is auto-deleted after order is marked "Shipped" by all Vendor(s)
- Shipping info can be manually deleted by customers at ANYTIME.
Best regards
On Thursday, December 10, 2020 5:42 AM, Juan <tracklifestats@protonmail.com> wrote:
Any updates?
Solving the issue is enough due diligence. If I'm not being paid, then I must write on the forums that Brewly and DragonOrdnance are not trustful entities and they don't keep their word. I won't notify any other vulnerability either.
Changing the tone, but I don't enjoy being laughed at.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:30 PM, Juan <tracklifestats@protonmail.com> wrote:
Thanks.
I'm sure I can be a valuable member of your team, not only as a security guy but in other areas as well.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:18 PM, Brewly.io <brewlyio@protonmail.com> wrote:
I understand, I am not talking about the bounty at this moment, though. We have to do our due diligence and verify your claims first. Regardless of that, we do want someone to come on, as I mentioned. Considering your history in this field, we think you're the right guy.
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:01 PM, Juan <tracklifestats@protonmail.com> wrote:
Those weren't your terms but I'm willing to compromise on 2500$ now and 7500$ over the months as a member of the team. That is as a sign of good gesture and for future business. I'm willing to compromise, but not for more promises.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:47 PM, Brewly.io <brewlyio@protonmail.com> wrote:
Email is fine with me! Like I said, I would like you to come on in an official, compensated capacity. I'll have to have our team look into the issue you outlined to determine your eligibility for the bounty.
That being said, we want someone in an official capacity. Perhaps a salary of 10k paid over the months? Direct from site profits of course. Remember, we only take 5% and to date have processed about 10k in revenue.
We are very serious about developing the ultimate platform, but we need to expand our team to do that. I think you're the right fit. Do you understand?
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:40 PM, Juan <tracklifestats@protonmail.com> wrote:
I can make a Wickr but email is fine too.
Does that mean that I should not expect the 10k? I understand the site is new, but those were your terms. I'm sure we can figure something out, but I would like some reassurance that I'm not going to work for free. I'm sure you understand.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:33 PM, Brewly.io <brewlyio@protonmail.com> wrote:
I understand. Is this your preferred method of contact or would you prefer wickr/something else?
We've love to have a dedicated vulnerability tester on board. As you can imagine, we launched less than a month ago, so site profits are still very tiny. That being said, I'm sure we can work something out so you can come on-board, in an official manner, and help us moving forward.
Thanks, again
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:56 AM, Juan <tracklifestats@protonmail.com> wrote:
Yes, work as a software developer and have been doing bug bounties for almost a decade now. Read the bounty on MESO and had to give it a try.
My guess is that the data is encrypted in the server but if there is a problem with the access control like this time, then it gets decrypted even if it should not as it is the wrong user. It can be solved by sending the encrypted data to the client, and encrypting-decrypting it client side. Then even if another client gets to the data, it's encrypted. Client-side encryption solves the problem, the only exception would be if they have access to the server and can change the script and code but those are the limits of client-side encryption. The impossible to hack is to PGP, that's is 100% secure but users are lazy.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:43 AM, Brewly.io <brewlyio@protonmail.com> wrote:
We'll be looking into it! Do you offer vulnerability testing services? We'd love to have you on board.
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:17 AM, Juan <tracklifestats@protonmail.com> wrote:
I don't plan on telling anything in the forums, don't care about that hahahaha You guys just made my family's Christmas.
))))‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:16 AM, Juan <tracklifestats@protonmail.com> wrote:
Hey bros,
I found a vulnerability that allows me to see other customers orders and addresses.
Access directly to them from any user:
https://brewly.io/dashboard/orders/758278
Then simply ran a script trying numbers and the orders from your customers, this being one of the examples:
https://brewly.io/dashboard/orders/95856
You can register an user and access directly to any order even if it is not yours. To find those orders you just need to try enough numbers. Right now you have few users and orders. The attack would be as easy as trying numbers in the range all the time, and capturing all the addresses as soon as the orders are made. Order numbers can probably be obtained too from reviews or any other api.
I hope you guys keep your word and send the 10.000$ I can try to find more vulnerabilities in this site or in others.
My Bitcoin Address
bc1q28yv3l7cunlv78pd8kjw26k4nqywhkcap6y8wr
Terms are as follows:
Present to us exposed customer shipping information. Tell us how you managed to do it. You will be compensated 10,000 USD in Bitcoin. After we fix the issue (for everyone's safety), you have our blessing to tell the community and post the technical details of the exploit.
Good luck.
Here's why no one's ever getting that reward:
- Shipping info is encrypted with AES-256
- Shipping info is auto-deleted after order is marked "Shipped" by all Vendor(s)
- Shipping info can be manually deleted by customers at ANYTIME.
Best regards
