bobdahacker , 6 months ago to random 🎢 Hacked South Park's Casa Bonita. Could access their entire POS system and see all customer payments/tips and more 😬 Technical details: Founders Club admin panel: No auth required, all member emails exposed POS registration: Form disabled client-side only, API endpoint still functional Reservation enumeration: Sequential IDs exposed full customer data Full control over customer tabs, payments, and inventory Supabase misconfiguration: Public signups triggered automated membership cards No security.txt anywhere. Had to email parkcounty.com addresses then get help from my friend whose company partners with South Park. Fixed fast but never thanked me. Got a Founders Club card 6 months later though, because the system automatically sends them 😂 Full Technical Writeup: https://bobdahacker.com/blog/i-hacked-southpark #infosec #bugbounty #responsibleDisclosure #security #vulnerability #hacking #cybersecurity #southpark #CasaBonita
🎢 Hacked South Park's Casa Bonita. Could access their entire POS system and see all customer payments/tips and more 😬
Technical details:
No security.txt anywhere. Had to email parkcounty.com addresses then get help from my friend whose company partners with South Park.
Fixed fast but never thanked me. Got a Founders Club card 6 months later though, because the system automatically sends them 😂
Full Technical Writeup: https://bobdahacker.com/blog/i-hacked-southpark
#infosec #bugbounty #responsibleDisclosure #security #vulnerability #hacking #cybersecurity #southpark #CasaBonita