Questioning the security of my job's software lmao 04-01-2019, 01:33 PM
#1
Ok so I'm currently working at a gas station for the heck of it.
Software looks super old, windows XP, and the gas pumps themselves must be older than I am (at LEAST pre 2000).
Today a pump went crazy and instead of pricing something at 1.354 it priced it at 5€ per Liter which was insane lmao.
The result? Tech guys called after I contacted my boss about the issue.
So a few things, first they can get access to the POS without you even getting a prompt or anything, the cursor will just start moving (They use TeamViewer, didn't even knew you could do that without any sort of warning or popup), then he started fiddling around and logged into admin or Master or something (which is a basic/obvious number for login and no clue if they have any check on injections there), and started looking at the Database.
I asked if it was SQL and he said it was, after looking around a bit he found the thingy with the issue (which I hadn't cashed out yet) and he changed the Price as well as the Liters used just like that.
I also asked if they usually hire pentesters to test their system, he said no and something along the lines of it not being necessary or that they basically just handle customer receipts and stuff so no biggie (Mind you it also contains data such as the Tax Numbers, addresses, etc of some customers).
And I also said I found it weird that they can just connect automatically without any warning, to which he said it's not a problem because it needs a password lol.
Now here's the thing.
I admit I don't really have any clue how one would go about hacking this, I just know a few basics about SQL injection and such, but given how old the software is and whatnot it doesn't really seem well protected or anything like that, and I can imagine someone with a laptop getting a full tank of fuel, hacking into the POS and altering the price/Liters/etc so they only pay like 10€ without anyone noticing (it allows self service).
So yeah lol, wanted to share this.
As a side note however, imagine if I wanted to test if they are really vulnerable and find something, if I report it to them is there any sort of legal issue I could get myself into even if my intent is just to pentest? For this I would obviously get the software for myself, not try it on the work computer.
Software looks super old, windows XP, and the gas pumps themselves must be older than I am (at LEAST pre 2000).
Today a pump went crazy and instead of pricing something at 1.354 it priced it at 5€ per Liter which was insane lmao.
The result? Tech guys called after I contacted my boss about the issue.
So a few things, first they can get access to the POS without you even getting a prompt or anything, the cursor will just start moving (They use TeamViewer, didn't even knew you could do that without any sort of warning or popup), then he started fiddling around and logged into admin or Master or something (which is a basic/obvious number for login and no clue if they have any check on injections there), and started looking at the Database.
I asked if it was SQL and he said it was, after looking around a bit he found the thingy with the issue (which I hadn't cashed out yet) and he changed the Price as well as the Liters used just like that.
I also asked if they usually hire pentesters to test their system, he said no and something along the lines of it not being necessary or that they basically just handle customer receipts and stuff so no biggie (Mind you it also contains data such as the Tax Numbers, addresses, etc of some customers).
And I also said I found it weird that they can just connect automatically without any warning, to which he said it's not a problem because it needs a password lol.
Now here's the thing.
I admit I don't really have any clue how one would go about hacking this, I just know a few basics about SQL injection and such, but given how old the software is and whatnot it doesn't really seem well protected or anything like that, and I can imagine someone with a laptop getting a full tank of fuel, hacking into the POS and altering the price/Liters/etc so they only pay like 10€ without anyone noticing (it allows self service).
So yeah lol, wanted to share this.
As a side note however, imagine if I wanted to test if they are really vulnerable and find something, if I report it to them is there any sort of legal issue I could get myself into even if my intent is just to pentest? For this I would obviously get the software for myself, not try it on the work computer.
![[Image: a8Wp2g3_460sa.gif]](http://d24w6bsrhbeh9d.cloudfront.net/photo/a8Wp2g3_460sa.gif)
"Offense is not given, it's taken"
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)
![[Image: AD83g1A.png]](http://i.imgur.com/AD83g1A.png)
