Operation Talk(no)More: Six Months of Data thievery and Zero Results

TalkMore is a Norwegian telecommunications company that provides mobile and broadband services. They offer a range of products and services, including mobile plans, internet subscriptions, and business solutions (whatever that means).

Setting the Scene

Picture this: It's late at night, I'm browsing through technical documentation (as one does), when suddenly I spot something in Talkmore's Bedriftsnett CRM API docs that makes me sit up straight in my chair.

Right there in their official documentation:

https://mittcrm.no/mottakorgid=@o&anr@a&bnr=@b&cnr=@c&gnr=@g&svargr=@n

They were using "mittcrm.no" as the example webhook URL in their integration guide. My security-minded brain immediately went into overdrive.

"Wait a minute... what if businesses just copy-paste this exact example URL without changing it to their own domain?"

This is a classic security oversight I've seen before. Companies following documentation examples verbatim, potentially sending sensitive customer data to whatever random domain happens to be in the example. And in this case, that domain—mittcrm.no—wasn't owned by anyone!

The Master Plan

I immediately registered mittcrm.no. For aesthetic purposes (and my own amusement), I set up a Windows 95-themed logging interface to capture and monitor any incoming webhook data. The full security researcher experience.

My Windows 95-themed webhook logger monitoring interface

My grand plan:

  1. Collect webhooks from businesses using the example URL
  2. Document the security vulnerability
  3. Responsibly disclose the issue to Talkmore
  4. Save Norwegian businesses from accidentally exposing customer data
  5. Maybe write a fancy security blog post about it

I had my speech prepared for when I'd inevitably have to explain to some confused developer that their customer call data was being sent to my server instead of theirs. I even mentally rehearsed the "I'm not a bad guy, I'm helping you" conversation.

The Epic Waiting Game

  • Day 1: Nothing.
  • Week 1: Checking logs hourly. Still nothing.
  • Month 1: Surely someone will make this mistake soon!
  • Month 3: checks server Is this thing even working?
  • Month 6: sound of crickets intensifies

The results after six full months of monitoring?

Zero. Legitimate. Webhooks.

My beautiful Windows 95-themed logger only captured automated bot traffic—scanners probing for easy targets. I saw attempts to access /wp-admin/ directories, .env files, and known exploitable paths like /wp-content/plugins/ where vulnerable WordPress extensions might live. There were requests for /phpinfo.php (not a vulnerability itself, but useful for reconnaissance), along with attempts to find exposed .git folders and unprotected database backups. Just the usual background radiation of the internet—bots endlessly scanning for low-hanging fruit. But not a single CRM webhook containing actual customer data.

The Aftermath

The domain cost was minimal, but my pride? Thoroughly wounded.

My carefully crafted disclosure email? Never sent. My security presentation slides? Never created. My moment of white-hat glory? Never happened.

The Lesson

Sometimes your stupid ideas are, in fact, stupid