←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 10 comments | 12 May 25 16:39 UTC | HN request time: 0.343s | source | bottom
Show context
edm0nd ◴[12 May 25 17:16 UTC] No.43965336[source]
> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

replies(3): >>43965359 #>>43965374 #>>43965518 #
1. hbn ◴[12 May 25 17:20 UTC] No.43965374[source]
That's more of a punishment to innocent users than the business
replies(3): >>43965381 #>>43965519 #>>43966199 #
2. kenjackson ◴[12 May 25 17:21 UTC] No.43965381[source]
True. Maybe let them know you will be directly contacting each user and letting them know that this service has exposed their personal information to hackers.
replies(1): >>43965582 #
3. nick238 ◴[12 May 25 17:35 UTC] No.43965519[source]
Disclosure is good for the 'innocent users' as they are made aware that their data may have been leaked (who knows if the company can do the sufficient auditing and forensics to detect total scraping), rather than just being oblivious because the company just didn't bother to tell them.
replies(2): >>43966025 #>>43966247 #
4. nick238 ◴[12 May 25 17:40 UTC] No.43965582[source]
I'd definitely not do that. POCing a scraper to check is fine, but you shouldn't save any PII from that data. You're also saying you're the "hacker", as you don't know if it's actually been revealed to others without the forensics that (hopefully) only the business can do.
replies(1): >>43967496 #
5. maxverse ◴[12 May 25 18:20 UTC] No.43966025[source]
Is there any reason to not just privately email the users? "Hey, I'm so and so, a security researcher. I was able to gather your data from <Company>, which has not responded to any inquiries from me. Please be aware that your data is mismanaged and vulnerable, and I encourage you to voice your concern directly to <Company>."
replies(2): >>43966882 #>>43967667 #
6. ericmcer ◴[12 May 25 18:38 UTC] No.43966199[source]
This is a rare case where the leak is so egregious he could actually reach out to all the users themselves to let them know. Especially the ones with passport info.
7. kube-system ◴[12 May 25 18:43 UTC] No.43966247[source]
> Disclosure is good for the 'innocent users' as they are made aware that their data may have been leaked

Presuming perfect communication which is never the case for security vulnerabilities on a consumer application.

8. Ajedi32 ◴[12 May 25 19:56 UTC] No.43966882{3}[source]
Seems like a reasonable idea, though depending on how many users are affected that may effectively amount to going public. Also only works if the vulnerability gives you access to all customer emails, and you're willing to exploit it to get that info (which might not be a good idea legally speaking).
9. kenjackson ◴[12 May 25 21:11 UTC] No.43967496{3}[source]
Yeah. Not good practical advice on my part.
10. yard2010 ◴[12 May 25 21:33 UTC] No.43967667{3}[source]
Make it better: find a lawyer that would sue, send them the details, you can find like 10 ppl out of 10k who would love to sue, you get your bounty from the lawyer.