signal ≋ dadalo mediaI’ve published a new case study on BASE System, a multi-tenant ticketing platform from Poland used - according to the operator’s own claims - by more than 50 venues in Poland.
The article documents customer email exposed in a redirect URL, nginx/1.10.3 on Ubuntu 16.04, broken CORS, cookies without the Secure flag, and a sales layer running under homelinux.net... DynDNS from Oracle.
https://dadalo.pl/en/tech/anatomy-risks-multi-tenant-ticketing-platform-orientarium-zoo-lodz/
#privacy #cybersecurity #infosec #gdpr #appsec #securityresearch #privacy #phishing
Anatomy of risks of a multi-tenant ticketing platform for tourist attractions — a case study of Orientarium Zoo Łódź
Case study of the BASE multi-tenant ticketing platform serving 50+ tourist facilities in Poland - technical analysis based on the ticket purchase process at Orientarium Zoo Łódź. Four basic architectural flaws: DynDNS infrastructure in the homelinux.net domain, EOL nginx 1.10.3, problematic CORS configuration, passing personal data in URL parameters to the payment operator. Extended version of the notification submitted to the President of UODO on April 23, 2026, with point verification of the status on the day of publication.