A weak link-generation algorithm exposed Democratic Party donor information in the NGP VAN service to attack last month. The vulnerability would allow an attacker to unsubscribe large volumes of donors from Democratic candidates’ fundraising emails, conduct phishing campaigns, or resell the data. I disclosed the vulnerability to NGP VAN’s engineering team, which patched the vulnerability within a week. In this talk, I propose to discuss my discovery process, the tools I used to exploit the vulnerability, and advice for email subscription management services to avoid similar problems. See the optional document section for links to blog posts describing what I'll be talking about.
Josh Lospinoso
Josh Lospinoso works for US Army Cyber Command as a technical director, where he mentors other developers and writes infosec tools used in cyber operations around the globe. He holds a PhD from the University of Oxford and is a Rhodes Scholar.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek