Scam Alert: klikkit.no — IDORs CORS Misconfiguration, HTML Injection, and 1 Year of Silence
Company / Program: klikkit.no
Platform: Self-Hosted · Severity: high · Scam type: ignored
Published:
Reported by: admin
I want to share my experience with a security disclosure that never received proper attention, and how it eventually ended when the entire target went offline.
I responsibly reported multiple vulnerabilities to the program, including:
* 2 IDOR (Insecure Direct Object Reference) issues
* CORS misconfiguration
* HTML Injection
After submitting the report, I was told that the team would contact me soon. I waited patiently, trusting the process.
After nearly **2 months with no response**, I followed up again. Still, there was no reply.
At around the **3-month mark**, I tried once more to get an update — again, complete silence.
As time passed, I realized there was no communication, no acknowledgment, and no closure from the program side.
Finally, after almost **1 year**, I discovered that the entire website/subdomain had been taken down and no longer exists.
There was never any resolution, no feedback, and no reward or even basic confirmation that the issues were handled.
This experience highlights a serious problem in some security programs:
* Lack of response after vulnerability disclosure
* No communication or triage transparency
* Researchers left without closure or acknowledgment
* Reports effectively disappearing into silence
Responsible disclosure depends on trust and communication from both sides. When that breaks down, it discourages researchers from reporting issues at all.
I’m sharing this so others are aware that not every program follows proper handling, even when valid security issues are reported responsibly.