This is likely to be one of the most exciting things I ever write about while also being one of the most technically simple: On May 27, 2021 I “Hacked” DEF CON 29. More specifically, I was able to dump a list of the names, e-mail addresses, and tickets of anyone who had bought a ticket online. For a conference that hosts a large amount of people who value their anonymity, this is a pretty big deal. Fortunately this vulnerability was remediated extremely quickly and after some investigation done by the affected company, it was confirmed that I was the first person to access this data.
Before I go into details of the hack, I first need to give a shoutout to both The Dark Tangent (@thedarktangent) and Guest Manager (https://www.guestmanager.com/) for how quickly they addressed this issue. I initially reported the vulnerability to DT over Reddit, and despite having never talked to him before, he got back to me almost immediately. DT then reached out to Guest Manager, who was able to push out a fix in under 48 hours! To quote DT directly: “Guest Manager was great to work with and very responsive.” While it’s unfortunate that such a critical flaw was found in Guest Manager’s product, I commend them for their rapid remediation and cooperation.
As I mentioned earlier, this is about as technically simple as it gets. On May 26 I went to purchase my own ticket online. The process was simple and standard: Add to cart, purchase ticket. No sign-up of any kind required. Moments later I received the confirmation e-mail with a link to view my order. Viewing my order presented me with the following: