BobDaHacker 🏳️⚧️ | NB<p>🎢 Hacked South Park's Casa Bonita. Could access their entire POS system and see all customer payments/tips and more 😬</p><p>Technical details:</p><ul><li>Founders Club admin panel: No auth required, all member emails exposed</li><li>POS registration: Form disabled client-side only, API endpoint still functional</li><li>Reservation enumeration: Sequential IDs exposed full customer data</li><li>Full control over customer tabs, payments, and inventory</li><li>Supabase misconfiguration: Public signups triggered automated membership cards</li></ul><p>No security.txt anywhere. Had to email parkcounty.com addresses then get help from my friend whose company partners with South Park.</p><p>Fixed fast but never thanked me. Got a Founders Club card 6 months later though, because the system automatically sends them 😂</p><p>Full Technical Writeup: <a href="https://bobdahacker.com/blog/i-hacked-southpark" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bobdahacker.com/blog/i-hacked-</span><span class="invisible">southpark</span></a></p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/bugbounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugbounty</span></a> <a href="https://infosec.exchange/tags/responsibleDisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>responsibleDisclosure</span></a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/southpark" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>southpark</span></a> <a href="https://infosec.exchange/tags/CasaBonita" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CasaBonita</span></a></p>