Users praised anonymous security researcher Riley Walz for exposing private data in the NYC Parking Ticket App via an unauthenticated endpoint, highlighting his repeated successes.
No Digg Deeper questions have been answered for this story yet.
The city actually has a website for disclosing vulnerabilities. But they rejected my disclosure, saying “The resulting data is required by the app to function and is not considered PII.” 😳
I followed up, but was rejected again. Once I tweeted, I finally got a response.
AND since the city publishes every citation ID in an open dataset, someone could have easily used that to build a complete list of millions of people that ever got a ticket: their name, address, license plate, and VIN number.
This was a pretty simple vulnerability to discover. I didn’t use any AI.
I hope NYC (and every government) can improve their disclosure intake programs as the rate and complexity of vulnerabilities discovered soon increases!
@rtwlz anonymous security researcher riley walz strikes again