You're doing it wrong! #mkfail edition

What happens when website owners get notified about security issues, and they decide to ignore the report?
They become part of blog posts, like this one for example.

1. Search

The search form at MKD-CIRT (National Center for Computer Incident Response of the Republic of Macedonia) thinks you’re hacker when you search in Macedonian language.
Search hacked!

I wonder how you will search these articles written in Macedonian?

upload successful

2. Plaintext passwords


This one is from the biggest telecom provider in Macedonia.

VipMK Plaintext Password
Shown in the picture is the screen from the settings page, where you can change your username, password, or even see your password.
When asked about this, the support team assured me that everything is according to the law.

Sport vision

Sport vision is sportswear company which has online store, without TLS and uses state-of-the-art plaintext password storage.

SportVision plaintext password

*Image found in Сојузен Комитет на Програмери на Република Македонија facebook group.


Something like Craigslist but for the Macedonian marketplace. It’s the biggest and most popular advertising website in Macedonia.

Pazar3 plaintext password

*Image found in Сојузен Комитет на Програмери на Република Македонија facebook group.


This one is from codefu, online coding competition built and sponsored by netcetera.
The marketing of the website is often about knowledge and bragging rights.
Looks like the security bragging rights badge is not unlocked yet.
I hope there is at least one person in the company that knows how badly this can reflect on their image.

codefu netetera Plaintext password

3. Publicly disclosed vulnerabilities

XSS on government websites

Publicly disclosed, over a year ago, yet nobody bothers to fix them.

XSS on government websites

XSS, Open Redirect, Everything else

It doesn’t have to be government website, use the country code as search keyword and tons of valid bugs will show up. Hospitals, national televisions, universities and other high traffic websites are in the list. claims that website owners are notified, are they willingly ignoring the reports?

XSS on mk websites