An exposed endpoint enabled the retrieval of an individual's email address using their personnummer (social security number). This vulnerability allowed one to determine whether an individual has or has had insurance with the company. It also enables targeted phishing attacks and fraud attempts.
Ethical Disclosure Process: More than 90 days have passed since the initial report was sent. Despite providing time for assessment and remediation, there has been no further communication or confirmation of a fix from the affected organization's side.
A public endpoint allowed searches for addresses, first names, and last names of Swedish children based on their personnummer (social security number). Additionally, it could be determined whether an individual had protected identity or not.
Ethical Disclosure Process: The company fixed the issue within two weeks.
Gym Capacity Manipulation Vulnerability in SATS Gym Management System API allowed unauthorized users to modify gym capacity values via an internal API endpoint. This information was displayed on their website and in the app used by their 700 000 members.
Ethical Disclosure Process: The company fixed the issue within one week and, as a token of appreciation for my findings, gave me a reward.
Key projects during my Internship at Martin & Servera:
Co-founder & IT manager. SVIT is the union section for those who study Information Systems and Digital Business Development. We work to ensure that students get as much as possible out of their study time. I plan, lead and develop IT Infrastructure for the section and take care of the social media (Instagram, Discord, Facebook).
Bachelor's program in Information Systems at Uppsala Universitet. Courses includes programming, databases, data analytics and visualization, IT Security and project management approaches and frameworks.
Improved my knowledge and skills in technology, programming, computer science, physics, and mathematics.