glennbrosensMay 22, 2024
Inti De Ceukelaire
🔥NEWS: How I was able to hack the Belgian social welfare and justice system by buying cheap domains 👇
https://inti.io/p/when-privacy-expires-how-i-got-access
When privacy expires: how I got access to tons of sensitive citizen data after buying cheap domains

As part of a large-scale privacy investigation, I have bought more than 100 domain names previously belonging to social welfare and justice institutions in Belgium. What I observed was unsettling.

Inti De Ceukelaire
May 22, 2024 at 6:43amWeb
Show threadexpatMay 22, 2024
@intidc Well since it’s a Cloudflare site, the ppl interested in that article would be the same people who won’t be interested in dancing with the Cloudflare gatekeeper.
Show threadZatarraMay 22, 2024

@intidc @helma

Wow, Thanks, great article about domain expiration vunarability.

Show threadTochMay 22, 2024
@intidc thanks for having done that. 🙏
Show threadStéphan MestachMay 22, 2024

@intidc Great research !

What always strike me is how often they go for custom domains instead of using something we will know as legit with "belgium.be" or things like that.

When I received email, sms, paper mail... I'm always wondering if it's legit or a scam.

In the same idea, I'd like a whitelist of bank accounts... It's super easy to print an "official" document and put another account on it.

Note banks could also help with a "verified public institution" label

Show threadJason Parker (he/they)May 22, 2024
@intidc this likely goes beyond email as well. Things like HTTP POSTs and FTP uploads are what immediately come to mind.
Show threadKrisBuytaertMay 23, 2024
@intidc Everything is a freaking dns problem :)