I found a shell injection vulnerability in an obscure page on my University's website. The shell only had read access so I was mostly limited to getting confidential data. I found a textfile of bad words that you aren't allowed to use in names of some things. After I noticed some fliers on bulletin boards around campus that contained QR codes. Many of these bulletin boards people walk by frequently but sometimes there's nobody around to see if someone is stealing a flyer and then puting one up with a different QR code. This is a really easy to execute social engerring attack, users will trust a QR code on a flier that looks 'legit' and can be difficult to detect. Some uses include rickrolling people, taking them to the wrong website, taking them to a redirect page that executes malicious javascript in the browser and then redirecting.. etc.poking my head around for a little I reported the bug. Because it was the ethical thing to do, not because all of my connections were over the school's wifi logged in as me from my MAC address.

Back to Bloomcon 2017 video list