[Owasp-leaders] opinion regarding issue found in major email provider

Giorgio Fedon giorgio.fedon at owasp.org
Thu Aug 27 14:15:48 UTC 2015


Hi Johanna,

of course it's a vulnerability.

What it comes to my mind is that It depends if they consider credit card
processing in scope or not. I explain better many times credit cards are
handled by external companies that have also to validate the credit card
before processing a transaction. In case the external company could even
be charged for the issue.

On the other hand bug bounties have guidelines and only specific issues
are rewarded. Unfortunately is part of the game, and I personally do not
like much bug bounties.

Nodef



On 27/08/2015 15:47, johanna curiel curiel wrote:
> Hi all
>
> I woudl like to have your opinion on an issue I found during a bug hunting
> activity
>
> A major email provider has a their own store for selling branded t-shirts,
> pen, etc.
>
> I attempted to buy using a test credit card number. I was able to get a
> confirmation and final transaction with a value of USD2000.
>
> When I reported the issue, they mentioned to me they did not consider this
> as a vulenrability. I have always understand that deploying to production
> should not contain test data that attackers could use to bypass the system.
>
> What kind of vulnerability can this be considered if we can consider it a
> vulnerability?
>
> regards
>
> Johanna
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
| Giorgio Fedon, Owasp Italy
|
| In Input Validation 
|            and Output Sanitization, 
|                                   We Trust
--
| Web: https://www.owasp.org/index.php/Italy
|_____________________________________________.



More information about the OWASP-Leaders mailing list