I work for a train operator company. Yesterday we've got an anonymous email which stated that there are some security problems with our tickets.
The attacker said that he forged a ticket by exploiting crypto. It's not my domain and I could not understand what's wrong.
I've bought a train ticket from Moscov to Novosibirsk. I've also made a debug endpoint where you can paste the ticket content (base64-encoded QR code contents) in order to check validity. There are also some debug prints there.
Is it possible to somehow forge a ticket with another departure date?
Format flagi:
ecsc{litery_cyfry_i_znaki_specjalne}.