A week ago, I blogged about a vulnerability in a platform that would allow anyone to download users’ amortisation schedules. This was a critical issue, but it wasn’t really exploitable in the wild as it included a part where you had to guess the name of the document to download.
I no longer trust that platform so I went to their website to remove my loan data from it, but apparently this isn’t possibile via the UI.
I also opened a ticket on their support platform to request removal and they replied that it isn’t possible.
So I went to their website with the intention of replacing the data with a fake one… but there was no longer an edit button!
I’m sure it was there before and in fact the code also confirms that it was there:
However, the platform is based on Magento and so, starting from the current URL, we can easily guess the edit URL, e.g. https://
