[Owasp-leaders] opinion regarding issue found in major email provider

Yolanda Baker yolybaker at gmail.com
Thu Aug 27 14:41:29 UTC 2015


Hi Joanna,

I agree with John, Owen, and Giorgio about the scope or criticality of the
bug.

That said, if the shipment matetialized, then it would be a different
story. Happy shopping!

Regards,
YolandaBakerUS

On Thursday, August 27, 2015, Owen Pendlebury <owen.pendlebury at owasp.org>
wrote:

> Hi Joanna,
>
> Yeah it is generally considered best practice to remove test data before
> deploying to production.
>
> I've seen this a few times and have been told that there are business
> processes in the back-end that will stop it from going through. A bit silly
> if you ask me, remove test data or spend a long time verifying card
> numbers.
>
> Owen Pendlebury
> OWASP Ireland-Dublin Chapter Lead
> https://www.owasp.org/index.php/Ireland-Dublin
>
> On 27 August 2015 at 14:47, johanna curiel curiel <
> johanna.curiel at owasp.org
> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>
>> Hi all
>>
>> I woudl like to have your opinion on an issue I found during a bug
>> hunting activity
>>
>> A major email provider has a their own store for selling branded
>> t-shirts, pen, etc.
>>
>> I attempted to buy using a test credit card number. I was able to get a
>> confirmation and final transaction with a value of USD2000.
>>
>> When I reported the issue, they mentioned to me they did not consider
>> this as a vulenrability. I have always understand that deploying to
>> production should not contain test data that attackers could use to bypass
>> the system.
>>
>> What kind of vulnerability can this be considered if we can consider it a
>> vulnerability?
>>
>> regards
>>
>> Johanna
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>

-- 
Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/3b606735/attachment.html>


More information about the OWASP-Leaders mailing list