Email or username:

Password:

Forgot your password?
schrottkatze's posts Post Back to profile
schrottkatze ⚡

OH MY GOD
so
ÖBB disabled easy name changes via their settings UI
*but*
i was like "eh, i wonder if i can just... un-disable the input field via devtools"
so i did
and it worked
ÖBB didnt validate the random name change in their backend

10 February at 19:23 | Open on chaos.social
17 comments
schrottkatze ⚡

anyway, PSA for austrian trans people who didn't change their name in ÖBBs system i guess:
ÖBB doesn't allow you to change your name easily
you can do that anyway if you open devtools, find the input element for the first name, and just remove "disabled="""
you can just click save and... it saves correctly.

:BoostOK:

10 February at 19:25 | Open on chaos.social
Riedler, legally female, soon legally Lisa
Ysegrim

@schrottkatze This is the most cyberpunk thing I've read today :Blobhaj_Heart_Trans:

10 February at 20:22 | Open on furry.engineer
refraction :verified_transgender:
refraction :verified_transgender:

@schrottkatze trying to see if this is possible on the Magenta site, which is doesn't allow changing the name or the contact email

10 February at 20:55 | Open on catcatnya.com
refraction :verified_transgender:

@schrottkatze can unlock the fields, and the save button, but that alone doesn't seem to allow it to save hmm...

10 February at 20:57 | Open on catcatnya.com
refraction :verified_transgender:

@schrottkatze I think the save button literally just doesn't do anything, since you're not supposed to actually be able to change anything on this page lmao

10 February at 21:00 | Open on catcatnya.com
Indiealexh

@schrottkatze I am forever reminding my devs that the backend should treat all Input like it's coming from a third party using our API for their product.

10 February at 21:04 | Open on tny.social
schrottkatze ⚡

@indiealexh and i am reminding you that if you build something like this web app, restricting names for trans people, that you should just do it badly

10 February at 21:18 | Open on chaos.social
Indiealexh

@schrottkatze thankfully my work is not in any such space. My work is mostly around the collection of research data and the services / people supporting the researchers / research.

10 February at 21:28 | Open on tny.social
Sophie Schmieg

@schrottkatze have you tried changing any elements likely to go into the WHERE clause of the SQL?

Although, if that turns out to allow you to change other people's names, you get the ethical conundrum of disclosure possibly also fixing the other client side validation "feature".

10 February at 21:21 | Open on infosec.exchange
schrottkatze ⚡

@sophieschmieg no, i'm happy changing my own name. probing for other vulnerabilities is an exercise to the reader

10 February at 21:22 | Open on chaos.social
refraction :verified_transgender:
Dan Kortschak

@schrottkatze This is the happiest-making thing I've seen today.

yesterday at 7:16 | Open on infosec.exchange
/ˈstɑːr.dʌst/

@schrottkatze lol. lmao even.

"einmal mit Profis" hat also manchmal tatsächlich sogar praktische Folgen :awesome:

10 February at 20:00 | Open on chaos.social
noodlejetski :verified_gay:

@schrottkatze so *that's* this DIY transition thing I've heard so much about

10 February at 21:41 | Open on masto.ai
Go Up