Website that lets you send poop through the post gets hacked

By Scott Marlette Last updated Aug 17, 2022

A known threat actor has hacked his way into notorious revenge website ShitExpress and leaked the company’s secure data, including customer email addresses and the messages they sent through the platform.

ShitExpress is an online service that allows people to send actual faeces, through the post, to whomever they desire. It’s designed to be a prank site, where people can purchase a piece of animal faeces and have it delivered to someone’s door, in a box, together with a personalized message.

You can imagine the type of messages someone would send together with a piece of animal dung to their cheating former partners, horrible ex boss, or noisy neighbor – hence why this leak might be troubling to many customers.

SQL Injection flaw

As reported by BleepingComputer, a user going by the name “pompompurin” visited the site in order to send a box to his long-time arch-nemesis, cybersecurity researcher, Vinny Troia. The two go way back, pranking and harassing each other for quite some time, the publication reported.

Upon opening the site, he realized that it was vulnerable to SQL Injection, and soon Mr pompompurin was soon sifting through email addresses, customer messages, and other private data (opens in new tab) associated with the orders.

A day after successfully compromising the site, he leaked the database on a hacking forum. Speaking to the publication about it, pompompurin said the database was surprisingly small: “It’s honestly not that big… There’s about 29,000 orders in the data,” he said.

He also said that he didn’t do it for ransom or anything similar. “I gained access a day before I leaked it, and I notified the website owner after dumping the data. [I’m] not sure if they’ve acknowledged or anything as of yet,” he confirmed.

In response to the incident, ShitExpress acknowledged the breach, and took responsibility, saying: “It’s purely our fault — a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately.”

As this is a prank site, that gathers almost no customer data at all, there was nothing particular to leak from the compromised endpoints (opens in new tab). Payment data was left with the payment provider, meaning pompompurin never got it.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.