Real Case - Classic SQL Injection on epaper.lavanguardia.com
The image above doesn’t match with the dates when I found this vulnerability. (26-06-2017) However, I thought that is interesting to post it here since La Vanguardia or MiLibris never replied me about this bug, but I can write it here for the records.
Nothing complex, La Vanguardia is using an e-reader build by milibris to publish their digital newspaper. It costs like 9,99 euro per month, but in 2017 (yes, 2017 and still…) you could log in using:
' OR '1'='1
The image below is a screenshot I took with my Note (Note 4? I don’t remember) I wrote
email@example.com as an email, and in the password field, if I recall correctly, was something like:
AAAAAAAA' OR '1'='1.
I tried the same in other sites and I found the same vulnerability.
I reported it via Twitter, but never got an answer, obviously not a reward, could be cool taking into account that just with La Vanguardia case we are talking about 120 euro/year with just one subscription.
Bonus point (12-07-2021): The cookies “never” expires in the Android/iOS app, so if someone found this bug, they can still read the newspaper for free. Also, if you are subscribed, imagine just for one month because you wanna read about the latest COVID news, and you decide to unsubscribe, don’t log out… You will be able to read for free on your phone…