←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 5 comments | 12 May 25 16:39 UTC | HN request time: 0.781s | source
Show context
xutopia ◴[12 May 25 16:57 UTC] No.43965126[source]
That's crazy to not have responded to his repeated requests!
replies(3): >>43965190 #>>43965227 #>>43965306 #
1. benzible ◴[12 May 25 17:04 UTC] No.43965190[source]
As someone managing a relatively low-profile SaaS app, I get constant reports from "security researchers" who just ran automated vulnerability scanners and are seeking bounties on minor issues. That said, it's inexcusable - they absolutely need to take these reports seriously and distinguish between scanner spam and legitimate security research like this.

Update: obviously I just skimmed this, per responses below.

replies(3): >>43965283 #>>43965303 #>>43965441 #
2. bee_rider ◴[12 May 25 17:11 UTC] No.43965283[source]
It sounds like they actually met with him, patched the issues, and then didn’t respond afterwards. IMO that is quite rude of them toward him, but they do seem to have taken the issue itself somewhat seriously.
replies(1): >>43965404 #
3. sshine ◴[12 May 25 17:13 UTC] No.43965303[source]
They already met with him and acknowledged the problem. So their lack of follow-up is an attempt to push things under the rug. Users deserve to know that their data was compromised. In some places of the world it is a crime to not report a data leak.
4. benzible ◴[12 May 25 17:24 UTC] No.43965404[source]
Ah, sorry, I need to actually read things before I react :)
5. nick238 ◴[12 May 25 17:28 UTC] No.43965441[source]
Pardon sir, I see you have:

* Port 443 exposed to the internets. This can allow attackers to gain access to information you have. $10k fee for discovery

* Your port 443 responds with "Server: AmazonS3" header. This can allow attackers to identify your hosting company. $10k fee for discovery.

Please remit payment and we will offer instructions for remediation.