Owning your graduation
Here's a quick one to motivate myself to write more. My PhD graduation ceremony is next week (yes, years late thanks to covid and being late in general). My alma mater uses https://www.yourgraduation.co.uk/ for booking gowns and photography etc.
This page looks old (the design agency that built it has a 2004 copyright on their homepage) and seems very rickety. As I was making an order, I noticed that the text in an info box was in the URL as a parameter. Naturally I tried modifying it, and lo and behold:
https://www.yourgraduation.co.uk/your-order.php?alert=Yousef was here! :)
Could it be that... yes it could:
This is a website that takes payments, so I'll let you use your imagination on how someone malicious can get creative with this and intercept payments simply by sending unsuspecting victims a link.
Disclosure timeline
- 2022-01-10: Disclosure to YourGraduation (no response)
- 2022-02-13: This article is published