‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, December 10, 2020 5:42 AM, Juan <
tracklifestats@protonmail.com> wrote:
Any updates?
Solving the issue is enough due diligence. If I'm not being paid, then I must write on the forums that Brewly and DragonOrdnance are not trustful entities and they don't keep their word. I won't notify any other vulnerability either.
Changing the tone, but I don't enjoy being laughed at.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:30 PM, Juan <
tracklifestats@protonmail.com> wrote:
Thanks.
I'm sure I can be a valuable member of your team, not only as a security guy but in other areas as well.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:18 PM, Brewly.io <
brewlyio@protonmail.com> wrote:
I understand, I am not talking about the bounty at this moment, though. We have to do our due diligence and verify your claims first. Regardless of that, we do want someone to come on, as I mentioned. Considering your history in this field, we think you're the right guy.
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 1:01 PM, Juan <
tracklifestats@protonmail.com> wrote:
Those weren't your terms but I'm willing to compromise on 2500$ now and 7500$ over the months as a member of the team. That is as a sign of good gesture and for future business. I'm willing to compromise, but not for more promises.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:47 PM, Brewly.io <
brewlyio@protonmail.com> wrote:
Email is fine with me! Like I said, I would like you to come on in an official, compensated capacity. I'll have to have our team look into the issue you outlined to determine your eligibility for the bounty.
That being said, we want someone in an official capacity. Perhaps a salary of 10k paid over the months? Direct from site profits of course. Remember, we only take 5% and to date have processed about 10k in revenue.
We are very serious about developing the ultimate platform, but we need to expand our team to do that. I think you're the right fit. Do you understand?
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:40 PM, Juan <
tracklifestats@protonmail.com> wrote:
I can make a Wickr but email is fine too.
Does that mean that I should not expect the 10k? I understand the site is new, but those were your terms. I'm sure we can figure something out, but I would like some reassurance that I'm not going to work for free. I'm sure you understand.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 12:33 PM, Brewly.io <
brewlyio@protonmail.com> wrote:
I understand. Is this your preferred method of contact or would you prefer wickr/something else?
We've love to have a dedicated vulnerability tester on board. As you can imagine, we launched less than a month ago, so site profits are still very tiny. That being said, I'm sure we can work something out so you can come on-board, in an official manner, and help us moving forward.
Thanks, again
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:56 AM, Juan <
tracklifestats@protonmail.com> wrote:
Yes, work as a software developer and have been doing bug bounties for almost a decade now. Read the bounty on MESO and had to give it a try.
My guess is that the data is encrypted in the server but if there is a problem with the access control like this time, then it gets decrypted even if it should not as it is the wrong user. It can be solved by sending the encrypted data to the client, and encrypting-decrypting it client side. Then even if another client gets to the data, it's encrypted. Client-side encryption solves the problem, the only exception would be if they have access to the server and can change the script and code but those are the limits of client-side encryption. The impossible to hack is to PGP, that's is 100% secure but users are lazy.
Best regards
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:43 AM, Brewly.io <
brewlyio@protonmail.com> wrote:
We'll be looking into it! Do you offer vulnerability testing services? We'd love to have you on board.
The future of AAS online: https://brewly.io/ (Brewly)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:17 AM, Juan <
tracklifestats@protonmail.com> wrote:
I don't plan on telling anything in the forums, don't care about that hahahaha You guys just made my family's Christmas.
))))
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 7, 2020 11:16 AM, Juan <
tracklifestats@protonmail.com> wrote:
Hey bros,
I found a vulnerability that allows me to see other customers orders and addresses.
Access directly to them from any user:
https://brewly.io/dashboard/orders/758278
Then simply ran a script trying numbers and the orders from your customers, this being one of the examples:
https://brewly.io/dashboard/orders/95856
You can register an user and access directly to any order even if it is not yours. To find those orders you just need to try enough numbers. Right now you have few users and orders. The attack would be as easy as trying numbers in the range all the time, and capturing all the addresses as soon as the orders are made. Order numbers can probably be obtained too from reviews or any other api.
I hope you guys keep your word and send the 10.000$ I can try to find more vulnerabilities in this site or in others.
My Bitcoin Address
bc1q28yv3l7cunlv78pd8kjw26k4nqywhkcap6y8wr
Terms are as follows:
Present to us exposed customer shipping information. Tell us how you managed to do it. You will be compensated 10,000 USD in Bitcoin. After we fix the issue (for everyone's safety), you have our blessing to tell the community and post the technical details of the exploit.
Good luck.
Here's why no one's ever getting that reward:
- Shipping info is encrypted with AES-256
- Shipping info is auto-deleted after order is marked "Shipped" by all Vendor(s)
- Shipping info can be manually deleted by customers at ANYTIME.
Best regards