[Owasp-leaders] opinion regarding issue found in major email provider

Yolanda Baker yolybaker at gmail.com
Thu Aug 27 14:41:29 UTC 2015

Hi Joanna,

I agree with John, Owen, and Giorgio about the scope or criticality of the

That said, if the shipment matetialized, then it would be a different
story. Happy shopping!


On Thursday, August 27, 2015, Owen Pendlebury <owen.pendlebury at owasp.org>

> Hi Joanna,
> Yeah it is generally considered best practice to remove test data before
> deploying to production.
> I've seen this a few times and have been told that there are business
> processes in the back-end that will stop it from going through. A bit silly
> if you ask me, remove test data or spend a long time verifying card
> numbers.
> Owen Pendlebury
> OWASP Ireland-Dublin Chapter Lead
> https://www.owasp.org/index.php/Ireland-Dublin
> On 27 August 2015 at 14:47, johanna curiel curiel <
> johanna.curiel at owasp.org
> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>> Hi all
>> I woudl like to have your opinion on an issue I found during a bug
>> hunting activity
>> A major email provider has a their own store for selling branded
>> t-shirts, pen, etc.
>> I attempted to buy using a test credit card number. I was able to get a
>> confirmation and final transaction with a value of USD2000.
>> When I reported the issue, they mentioned to me they did not consider
>> this as a vulenrability. I have always understand that deploying to
>> production should not contain test data that attackers could use to bypass
>> the system.
>> What kind of vulnerability can this be considered if we can consider it a
>> vulnerability?
>> regards
>> Johanna
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/3b606735/attachment.html>

More information about the OWASP-Leaders mailing list