Tencent a certain activity a leak a large number of user address information-bug warning-the black bar safety net

ID MYHACK58:62201449455
Type myhack58
Reporter 佚名
Modified 2014-06-14T00:00:00


Friends through QQ sent me to one of the activities:“there is no free lunch, but for Breakfast you can have! I was participating in yinlu good porridge road free good Breakfast apply for activities, the same address apply for the number up to 2 0 people, Homo habilis hand is a free good Breakfast! Good benefits to share, together, come on, just one step you can easily get!”

The address is: http://haozhoudao.qq.com/yaoqing.html?id=111_1 id replaced with a fake.

Occupation habits, see id feel behind the numbers can change the play, then, for a test, a large number of user address details you can at once see that, starting from 1. QQ nickname in part through the social work library to find a real name with real name by the social worker, the majority can also engage in to, the detailed address is also there~


So much information, so the order of id, that was presented to all people?

! !

Repair solutions:

id don't have order, OK, the id is 1 can think of is Tencent internal people?

Only invited users to click on a link to see the addresses better.

Invitation links do not have the law.