What if the user input causes an exception?

@@AshtonSnapp See Rule #1.

@@AshtonSnapp I laughed way to hard at this ...

Tob ias I’m glad to know that :D you have an awesome day

Or at least treat all user input as possibly malicious.

sxa555 Moonpigging Mün-pig-ing When a Company lies about internet security by making false claims of security that stated company does not have.

Tom Lake Charles Moonpigging /muːn/pɪɡ/ɪŋ/ verb *VULGAR SLANG • ENGLISH* 1. When a company makes a very specific denial of a security bug “I was moonpigged” _synonyms:_ disgrace, dishonour, disrespect

I hereby take the liberty of claiming this term as a valid choice of expression for the aforementioned reason.

@Kanashimi You can do that with Google Home

When someone claims to care about your data it means they want to sell it and couldn't care less about it.

@@ejewart1450 the patients don't last long

I wonder how it works

Rip

I did. And i forgot about it. And now there is a bitcoin wallet somewhere on the internet with $800 000 that i can't access. RIP me.

@@lukasvavrich3349 rip you

Ik ur cousin

5 years no update

Does anyone care, doesnt have to be impartial or balanced

I don't think Moonpig responded at all. I can't find any article after Moonpig's initial public response.

September 9th, 2020. Pandemmial here. Tom still doesn't get a reply.

@@IvanLDiaz Someone seeing the word pandemmial 50-100yrs onward would sound like some trend name or something.

***** No such thing as bad publicity, however I doubt tom would have sold out that hard if at all.

By law, he has to state it

you need to send that grammar to moonpig

+kobie melverton we all know that now don't we

Fraktallity - Cheeky Videos ( ͡° ͜ʖ ͡°) He wouldn’t because it is illegal to not disclose that you’re sponsored.

The 3 halves you just mentioned caused a buffer overflow in the terribly written site. Congratulations, you now have root access to everything. :DDDDDDDDDDDDDDDD

theLuigiFan0007 Not upvoting your comment because you will then have two different buffer overflows.

mena3976 😂👏

It's half moon and half pigbug. Better call Al Gore

Lulz. This week the same topic was revisited in South Park.

Nope just a weaboo

Nah, definitely a computer nerd. I cringed too, and I am the most anti-anime person alive.

There is nothing wrong with consecutive IDs. If you think consecutive ids are a problem, it is actually a symptom of a much larger authentication/authorization issue

Same XD

Consecutive ID's aren't the problem, as long as they are only used on the backend and no one ever sees them.

Some of us are Old School Programmers. Way back in the day the only kind of real hacking that needed to be worried about was some student coding something that would walk a printer across the room until it pulled the plug from the wall shutting it down until you could get engineers into the facility and haul it back into place and reset the equipment with the system. Security was maintained with locks on the doors and ID checks on personnel allowed into the locations with terminals.

@@ktcd1172 okay boomer

@@Toothily Nice to see someone using the word boomer correctly. I'm from the generation after the boomers and what he's talking about would've been when I was a kid in the 80s.

@@WildBluntHickok o k b ö m e r

Or you could just start using a high level web framework, since the people designing those usually know what they are doing way better than you do

not funny

@@chewtag damn... and i assume you didnt laugh? 😞

@@beenis08 was funny, did laugh

+Joshua Pearce I wonder which is harder, making sure they do it the way you want or just doing it yourself.

Robert Lozyniak It depends if doing it yourself means reading their code.

TL;DR: Don't hire Indian programmers.

@@jacobtracey555 Nothing wrong with them, but I once had an Indian friend tell me that the best programmers there end up getting hired by large companies, leaving mostly newbies and low-skilled programmers left on upwork, freelancer, etc.

@@jacobtracey555 and why Indians specifically?

+Eric Taylor Government showing more responsibility for security than a large corporation. I don't know if I should be surprised or something else.

***** This wasn't "government" This was a single individual who's ass would have been on the line had someone managed to get a weapon in. Also this was several years ago. Who knows if the same thing wouldn't happen again.

Eric Taylor Well, okay, someone working for government. Which yes, I'm definitely surprised, given that the level of incompetence demonstrated by government in IT can be staggering. (I've received passwords, which can't even be changed, from government websites, via email in plaintext. Cringe.)

***** I sent my sister a password in code at least.

@@erictaylor5462 You're thinking too zoned in, it is the government, you can never rely on security to police itself, complacency especially in repetition is human nature, the onus is on the government to monitor quality and ensure safeguards are in place to keep a constant standard of security.

Because you are under attack, this is the internet we are speaking of.

💗

kujmous Acc No 1 is probably the admin.

cheers sherlock

What about number 0? The boss?

no number 0 is the time traveller

Try -42

Nice username

date of birth: 1901-1-1"; DROP TABLE Customers;

Also rather reckless. :(

Henry W: British? Denial seems a rather large factor of the human condition. I believe anyone, anywhere could say this.

Mr Shekel: Why fuel the fire of discontent? Stop blaming all of a given nationality... for the acts of but a tiny few.

More like " a very *human* attitude"

I thought it was Indian attitude.

Ok, that was a good'un, but I think you're deliberately missing the point. Wrong type of pentesting mate.

@@mastertrams cant tell if thats a r/woooosh or not

@@scepto43 r/wooosh

@Michael Darrow r/noheacknowledgeditasajokebutwantedtomakesurehewasntjoking

@@addisonchan3053 r/ihavereddit

You're innocent, but btw could you like stay in this tiny room for months until we can prove youre actually guilty. Notice i didnt include a '?' Because i'm not asking, im forcing.

@@electricspider2267 you forgot "unless you, or someone you know, is able/willing to pay several months worth of your salary all at once, because that's a completely reasonable request of someone who more than likely lives paycheck to paycheck. aren't you glad we have such a flawless and perfectly morale system"

+Eric Taylor That is true but it's also irrelevant. There is no excuse for large companies not following the current best practices for information security (in the UK it's a legal requirement). What Moonpig did is analogous to a bank leaving all of your money on the sidewalk with a sticky-note saying "please don't steal this." And then they tried to insist they weren't doing anything wrong.

GenericRubbishName I never said they shouldn't attempt to secure information. It's just that locks are for keeping honest people honest. You should always be trying to improve security. Donitz only SUSPECTED Enigma had been broken so added another wheel too it even though all the experts told him it was impossible to break Enigma. Even though this step improved the Navy's performance (at least for a while) the Germans STILL didn't realize the English had broken the Enigma code. The English were reading the dispatches before the German commanders were.

Honestly, theoretically enigma seemed unbreakable but it had a major flaw. You should check out the new version of enigma which is several magnitudes better and most likely won't be able to be cracked in humanity's time.

PacManAction That doesn't even make sense. "Theoretically seemed"? It was, to the people who designed it "theoretically unbreakable" and thus seemed unbreakable, but the theory was wrong. And you're right, the Enigma concept is still used today but with the flaw, a letter can never be "substituted" with itself, but the entire process is done in computers instead of clockwork machines. The great advantage of this is the number of "wheels" you can have is unlimited. And with each added wheel the number of possible outcomes is increased by a multiple of 26. Enigma was an amazing cipher machine, but like the builders of Titanic, they were over confident in their design.

Yes, theory can be proven wrong. It's been done many times, something that works in theory doesn't always work practically. And I'd advise look up the TypeX machine.

... Why wouldn't you code logically? It's not going to get safer just because no one can read the code.

@@vincentmuyo The code should be a logical implementation of the design, but that design should be as unstructured as possible. Moonpig should have used random customer IDs, instead of taking the "logical" approach of making them consecutive, so that nobody could use their IDs to determine someone else's. They also should have generated a _different_ random ID for each token, so that a user whose token ID was compromised could get a new one by deleting the old token and signing in with their username and password.

I think that's a poorly articulated way to say, don't get cocky or rest on your laurels, but instead be curious and devious in testing your own code.

@@Toothily how does one rest on a yanny

@@beesree39 ...Well played.

Also as I found out, the school paid a ludicrous amount monthly to this platform.

Third party frameworks and libraries allowing virtually unhackable cookies were available in 2008. The developer had no excuse. Your school was ripped off.

@@warmachineuk Yup

god the way your teacher brushed you off pisses me off.

Yeah, it's a huge gamble to think like that. It only takes one malicious person to discover something like this, and it's only a matter of time.

Funky, fun and free delivery. Woohoo

We'll even throw some other customers credit card details in! WOOOHOOOO

pigeon*

f u n k y p i g e o n . c o m

@@adflyofficial i read this like in the advert 🤦‍♀️😂

The key difference, as I understand it, was that Weev proceeded to crawl AT&T's customer database, download a massive chunk of it and then hand it to journalists, thus compromising thousands of customers' private information for the sake of irresponsible disclosure. Paul Price created a few new accounts with his own details (or perhaps fake details) to which he held the authentication details, then proceeded to use the customer IDs for those. At no point (at least based on what I'm aware that he's said publicly!) did he obtain any information to which he was not legally entitled access. Moonpig could take the nuclear option and try for criminal charges under, say, the Computer Misuse Act (disclaimer: I am not a lawyer, solicitor, barrister, or anything like that), but there's probably enough "responsible behaviour" to easily shoot something like that down (I'm not a lawyer. Have I said that yet?). That said, if MP did go down that route, the press would have an absolute field day. "Moonpig sues guy who reported security bug! A greetings card company has sued a computer security researcher who told them about a security bug, then gave them A YEAR to fix it! More on page five!"

philpem Yes, I suppose it's fair to say weev didn't get in trouble for merely exposing the vulnerability, I should have mentioned that.

Yes, hacking other companies/websites, regardless of if you’re ‘just testing’ is illegal, because nobody knows what you did as well as informing them, you could’ve already sold all of the data.

Not if you use tor.

*ahead of

Interesting how your profile photo is a VGA cable

Hey, just so you know, comments can be edited after you post them.

JamEngulfer not on mobile^^

Checkername1 | Closed Oh right, fair enough

thephantom1492 the “huge fine” isn’t as big as you’d expect for a massive company, especially not back then

tought? you mean taught?

@@jintie Glad you're here to save us all the mental strain of trying to figure out what that could have possibly meant. God forbid a person accidentally omits a letter in a word. We need more people like you in the world, our stockpiles of unearned self-satisfaction are dangerously low

@@jintie thought

@@kyleedwards4903 you. shut up. no one cares about what you have to say. if you wanna be like that, delete your comment and go to some other website that cares about you.

Sledge hammer, that's how you can break this.

+Josh Adams with enough force, everything can be "solved"

that's how my country thinks about economy

Even about my heart!? (sniff)

He indeed did say that.

gametime449 Yes, it's my own tweak on it. I actually came up with it before I watched this video.

Thank you for the hearty laugh.

Zach Ashton A third party system our school used was terrible. Albiet it was just a past paper system, but it's even the idea of it. I said I'd forgot my password, expecting the standard, enter new password malarky. Nope, it sends me a plaintext version of the password.

You are the exception...ie different. Different scares people. Do not stop.

my school got literally a plain windows 7 install from 2010 with no access to updates (somehow) and the admin password was "" (nothing, just press enter). wut

Jack B Ouch, that site hurt my web developer soul.

did you just rickroll me?

@@Kitulous yes, they did.

goddamned liberal

wait me too o.o

Thirsty for knowledge

It's because he always makes mouth noises, if you know what I mean (not speaking obviously)

Me too :o

Me too ;)

Of course, just don’t use consecutive IDs as permanent tokens to access private accounts…

5 unodecillion? Amateur. Try 2 combinations.

I started getting moonpig ads. I thought I was the only one

The disk drive. And don't worry if your computer doesn't have one, there are external ones you can buy.

***** (it's a joke)

***** But 2 am is the best time to read KZbin comments!

I'd say buy a lot of hashing power from someone else and direct it to your wallet. Not sure if there's an easier way.

most likely, assuming those accounts are still live.

levolta It's a shorthand for "someone impersonating you" -- best case, they order a couple of things using your credit card, your bank notices and cancels everything, no major harm done. Worst case -- and you see cases of this with relatives and friends, not unknown online attackers -- they take out some loans in your name, run off with the money and ruin your credit score.

***** I think the worst case is probably a whole lot worse than that. Granted, this is unlikely to happen to a lot of people, but I think someone who can impersonate can, in addition to ruining your credit score, also ruin the relationship with anyone you know, get you to lose your job, get you into a court for some crime you didn't commit, etc.

NNOTM As you pointed out, doing that is luckily not the goal of the average bad guy targetting insecure services. If the attacker does not hold a personal grudge against you but is instead targetting random people that he happens to be able to hijack, he is usually "only" after money and/or prestige. That being said, it can still ruin you pretty easily when your online identity is taken over, especially nowadays where so much of our life takes place online ...

Identity theft can maifest in many ways, but I was the victim about 8 years ago, and someone took £2K of loans out in my name. It too me 4 years to clear my name, and an awful lot of agro. They were however caught. All they needed was my name, address and DOB. Where they got it from (it was no one I knew) I do not know, but it could realistically be many places.

lold

I'm super cereal

Hopefully you have rewatched every one of his videos in the month since you posted this. WITHOUT ADBLOCK

Wild Gaming Honestly I think I have now... Not even joking...

Did you know, that if you skip ads the content creator gets no money at all, just like if you used adblock. Also content creators can't get any money from mobile views (where ads might run even for people using adblocks on PC). Yeah KZbin ad revenue is a messed up system.

Surely they must get something from mobile views assuming the ad is watched all the way through. Mobile is now the biggest platform in terms of number of views.

Yes. That's what the guy who found the Moonpig vulnerability did. If they fixed it after you helped them, then there's nothing more for you to do. If they haven't fixed it yet, it's time to go public with it.