Not sure why this isn’t getting the coverage it should, but long story short, I do undergrad research on companies that experience data breaches, and how they respond in the coming months/years.
I came across Get (https://useget.com) after a society advertised their memberships on the platform at my campus. Using their search function on their website, I searched for the society. I mis-typed the society name, and instead got results of a list of people who had similar names. I was intrigued, and wondered if I could search for a specific person. I typed in a friend’s name, and surely enough, their name appeared alongside a list of societies they followed. It seemed a bit strange that I could find people who I didn’t know, and discover their interests (especially considering societies sometimes help members with sensitive topics, and may wish to remain anonymous).
I decided to look into the API’s that the service used to find the information that was being sent back and forth from Get’s servers. An API is simply a set of functions that services use, to communicate with servers and display results.
The search function API not only disclosed full names, but associated emails, phone numbers, date of births, Facebook ID’s, for all the users on their platform.
Redacted response showing all the details of users with the name of “Andy”
More worryingly, the service was available without the use of any tokens, meaning it was available to anyone, whether or not they had signed up to Get, and the data seemed to be for ANY user (even if they never signed up, but someone purchased a ticket for them). This seems to contravene their terms of service. As of writing, the data is easily visible on the Get site (also visible at https://reqbin.com/fbjt0bsy)
There is also copious evidence of a range of SQL injection attempts (https://reqbin.com/xamf5fjb), some of which disclose the schema of the Get database, indicating some of them were successful.
There are a range of other poor practices, such as ID enumeration, event detail disclosure (such as the number of paying attendees, hidden ticket types, and others) and others.
I tried reaching out to them, but haven’t gotten any response. It seems a lot of data is from the UNSW (where they started?) Any ideas?
This directly contravenes what I saw:
Direct from their still-live terms of service: https://www.qnect.co/public/static/security.pdf
Looks like they’ve confirmed it, but still haven’t disclosed the full details
I can also confirm that the OTP venerability is present