Private, financial and other non-public information of Fl.ru users is still freely available.

    Despite the publication of “Critical Security Vulnerability on fl.ru” , this service continues to distribute to all comers information that should be closed from public access.

    You can easily access passport data, registration address, postal address, E-mail, phone and other information about Fl.ru users, including financial! And not only about freelancers, but also about customers. To do this, you do not need to use any hacking tricks and hack the Fl.ru site, just follow the links indexed by Yandex with the corresponding referrer in the request header.

    The first option is to use the wget utility as recommended by ValdikSS in your comment :
    wget --referer 'https://st.fl.ru' http://st.fl.ru/about/documents/document_name.pdf

    The second option is to install an add-on in your browser to specify a specific referrer for a particular site. For example, for firefox, you can use this add-on: addons.mozilla.org/en/firefox/addon/refcontrol . After installation, go to RefControl settings and add the site st.fl.ru, then select “Other” and enter in this field
    https://st.fl.ru
    After clicking “Ok”, the settings window should look like this:



    Everything, now you can follow the links to the Appendix to the OFFER FOR CONCLUSION of the AGREEMENT
    or for technical tasks , as well as for any other Yandex or Google search options on the Fl.ru domain and gain access to information , which should be closed to public access!

    I think that specifying a specific referrer in an http request is not a wrongful act. I am sure that Fl.ru should take more serious actions than checking the referrer - in order to close such critical information from public access. For example, show these documents only to authorized users.

    UPD Friday, Mar 27, 2015 2:09 p.m.
    At the moment, Fl.ru has finally closed this hole!
    Thanks to everyone who participated in the discussion, reposted information, etc. - we still forced Fl.ru to pay attention to it and take action!

    Also popular now: