hacking

When “Access Control” to sensitive Data is just a Number in a URL

Not long ago, I covered the Merkur hack from Lilith Wittmann – a glaring example of careless handling of sensitive data. And today, here we are again! Another service, another broken-by-design system. This time: the hotel chain Numa, exposing tens of thousands of identity documents to anyone with a URL and a browser.

What happened

I just came across this report by this post on Mastodon from the CCC. Their (german) post describes what happened. I’ll briefly try to outline it:

Casino Data Jackpot – For Hackers: Merkur’s API Disaster

A couple of days ago, I saw a Mastodon post from Lilith Wittmann in my timeline. She linked to an article on her Medium page detailing a catastrophic security failure at Merkur AG. You can find the original Mastodon post here.

The casino company Merkur AG and its service providers have made almost all the data available in their casino systems publicly accessible. This includes payment data, gaming sessions, and copies of the ID cards of over one million players.
Lilith Wittmann’s Medium Post (German)