∞
Stay Safe Bug
During the Covid pandemic, every country has its own app or service to help track and monitor citizens for infection. And to prevent spread.
One of these was the Stay Safe app. Before being bought by the Philippine government, this was developed by a company called MultiSys. I have checked their website and that’s it. One thing I know is that their email doesn’t work.
The Bug I don’t have a Stay Safe account but one thing I know is that they were using a third-party called Uploadcare for handling the assets.
∞
Smartmatic Hacked by Kids
I just found out that the XSOX group has been arrested. It turns out, they’re just some kids who hacked Smartmatic. Kids.
Back in January 2022, I tried to warn everybody about this leak but only a few seemed to believe me. I have to take down my post back to private because of the backlash. After that week, I removed myself from any news about it.
Below is the excerpt.
∞
StaySafe.ph Low Priority Bug
I was signing up for StaySafe.ph when out of curiosity, I look around in their public HTML code and saw an exposed public key (UPLOADCARE_PUBLIC_KEY).
So I figured out this key is for uploading to UploadCare, interesting. As I look around UploadCare's API documentation, I noticed that for uploading an image you only need a public key.
For communicating with their API, you need both public and secret key.
∞
Keepr Storage Bug
Last year, I found a bug on Keepr Storage's Android app. It has the same bug as of Globe Telecom's where the API endpoint was not using secure HTTP. As a result, I can see my data in plaintext over Wi-Fi.
Using Wireshark
But as of version v1.3.6 of their app, this bug has been fixed already. They didn't respond to my email last year though.
∞
Go Manila Bug
I found a simple vulnerability of GoManila, the app from Manila's Office of the Mayor.
The app is using Firebase for the backend and the developer forgot to set the privacy settings thus anyone can visit the link and view its data on https://gomanila.firebaseio.com/.json
I reported it to the Office of the Mayor and settings was updated already.
∞
Globe Telecom Rewards Bug
I discovered that the Globe rewards app is communicating over insecure HTTP and because of this, it suffers from data leak.
Using Wireshark I was able to read in clear plain text my phone number that I entered.
I was able to contact Globe Telecom regarding this bug and was rewarded with 2,000 pesos. Lol.