Skip to content
🔓 POC exploit for, leaking personal information and event tickets
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.


Proof of Concept for an exploit in, an event tickets website, that allowed attackers to obtain personal information (name and government ID) and steal valid event tickets.

The exploit has since been patched and this code is released in responsible disclosure.

More details here.

How It Worked

In the following URL, IdCliente is an incrementing 8-digit number (left-padding with 0 is required), starting at about 00001000 and going until about 09500000 (9.5 million).

Iterating this parameter allowed you to retrieve the list of sold tickets to the user with such ID.

The list of sold tickets had, for each ticket, the event name, location, date, price, quantity of tickets, and the ticket printing ID.

The printing ID, a GUID, could be put into the URL{00000000-0000-0000-0000-000000000000}

to generate a printable ticket which could be taken to the event to obtain access. The printable ticket also had the buyer's name, government ID (RG or CPF, in Brazil) and type of ticket (which can sometimes leak personal information, such as having an account in a certain bank or being of a certain age).


Guilherme Berger

You can’t perform that action at this time.