Website that lets you send poop through the post gets hacked

Parcels
(Image credit: Shutterstock / Leika)

A known threat actor has hacked his way into notorious revenge website ShitExpress and leaked the company's secure data, including customer email addresses and the messages they sent through the platform.

ShitExpress is an online service that allows people to send actual faeces, through the post, to whomever they desire. It’s designed to be a prank site, where people can purchase a piece of animal faeces and have it delivered to someone’s door, in a box, together with a personalized message. 

You can imagine the type of messages someone would send together with a piece of animal dung to their cheating former partners, horrible ex boss, or noisy neighbor - hence why this leak might be troubling to many customers.

SQL Injection flaw

As reported by BleepingComputer, a user going by the name “pompompurin” visited the site in order to send a box to his long-time arch-nemesis, cybersecurity researcher, Vinny Troia. The two go way back, pranking and harassing each other for quite some time, the publication reported.

Upon opening the site, he realized that it was vulnerable to SQL Injection, and soon Mr pompompurin was soon sifting through email addresses, customer messages, and other private data associated with the orders. 

A day after successfully compromising the site, he leaked the database on a hacking forum. Speaking to the publication about it, pompompurin said the database was surprisingly small: "It's honestly not that big... There's about 29,000 orders in the data," he said. 

He also said that he didn’t do it for ransom or anything similar. "I gained access a day before I leaked it, and I notified the website owner after dumping the data. [I'm] not sure if they've acknowledged or anything as of yet," he confirmed.

In response to the incident, ShitExpress acknowledged the breach, and took responsibility, saying: "It's purely our fault -- a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately.” 

As this is a prank site, that gathers almost no customer data at all, there was nothing particular to leak from the compromised endpoints. Payment data was left with the payment provider, meaning pompompurin never got it.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.