Oops, I Hacked It Again: Tales and disclosures
Ignacio Navarro
NorthSec 2025 · Day 2 · Salle de bal
Ignacio Navarro, an application security engineer from Argentina, walks through a series of real-world vulnerability discoveries across a supermarket chain, a ticketing platform, a loyalty card system, and a contactless payment platform. Each tale follows the same arc: a mundane consumer interaction, opportunistic reconnaissance, a cascade of exploitable misconfigurations, responsible disclosure, and a mixed bag of vendor responses. The unifying lessons are about the mechanics of ethical disclosure, the importance of IDOR awareness, and how persistence and curiosity pay off more than specialised tooling. ---
AI review
Argentine appsec engineer narrates four real-world bug-hunting stories: loyalty card platform IDOR across 70 countries, supermarket chain chained misconfigurations to root MySQL, ticketing platform admin takeover via sequential ID, and a pre-login authentication bypass that handed you the encrypted credential.