Most active commenters
  • 9283409232(3)

←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 12 comments | 12 May 25 16:39 UTC | HN request time: 0.001s | source | bottom
Show context
edm0nd ◴[12 May 25 17:16 UTC] No.43965336[source]
> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

replies(3): >>43965359 #>>43965374 #>>43965518 #
9283409232 ◴[12 May 25 17:18 UTC] No.43965359[source]
Good way to get yourself sued and have possible criminal charges brought up to you.
replies(3): >>43965376 #>>43965385 #>>43965884 #
1. b8 ◴[12 May 25 17:20 UTC] No.43965376[source]
Which has never happened before and if it does then the EFF would back you presumably.
replies(2): >>43965442 #>>43965504 #
2. 9283409232 ◴[12 May 25 17:28 UTC] No.43965442[source]
This is a completely uninformed comment. Security researchers get sued or threatened all the time. Bunnie was threatened by Microsoft for publishing his research on Xbox vulnerabilities, the city of Columbus sued David Ross for his reporting on data exposed during a ransomware attack, Google has threatened action against a few security researchers if memory serves and that is just what I can remember off the top of my head.
replies(4): >>43965559 #>>43965722 #>>43965731 #>>43965873 #
3. chickenzzzzu ◴[12 May 25 17:33 UTC] No.43965504[source]
Imagine banking your physical and financial security on a presumption that the EFF can help you XD
4. secalex ◴[12 May 25 17:38 UTC] No.43965559[source]
Agreed. I've been doing this for 25+ years and personally know a dozen people who have been threatened and several who have been sued or faced potential prosecution for legitimate security research. I've experienced both situations!

That doesn't make it right, and the treatment of the researcher here was completely inappropriate, but telling young researchers to just go full disclosure without being careful about documentation, legal advice and staying within the various legal lines is itself irresponsible.

5. tptacek ◴[12 May 25 17:50 UTC] No.43965722[source]
I've spent my entire career doing this, have been personally "threatened" several times, and until relatively recently kept track of researchers dealing with legal threats. The concern is overblown. In cases that go beyond a nastygram from a lawyer, it is almost always the fact pattern that some aggravating factor is present: a consulting agreement that initiated the testing and forecloses disclosure, or the preservation and/or publication of the PII itself, or attempts to pivot and persist access after finding a vulnerability.

It's an especially superficial argument on this story, where the underlying vulnerability has essentially already been disclosed.

replies(1): >>43965834 #
6. retrac ◴[12 May 25 17:51 UTC] No.43965731[source]
The government of Nova Scotia, Canada used to host its FOIA releases (similar to American freedom of information laws) on a website, with a URL along the lines of server.example.gov.ns.ca/foiadoc?=00031337

They are public and intended to be publicly accessed. A clever teenager [1] noticed -- hey, is that a sequential serial number? Well, yes it was. And so he downloaded all the FOIA documents. Well it turns out they aren't public. The government hosted all the FOIA documents that way, including self-disclosures (which include sensitive information and are only released to the person who the information is about). They never intended to publicly release a small subset of those URLs. (Even though they were transparently guessable.)

Unauthorized access of a computer system carries up to 10 years in prison. The charges were eventually dropped [2] and I don't think a conviction was ever likely. Poor fellow still went through the whole process of being dragged out of bed by armed police.

[1] https://www.cbc.ca/news/canada/nova-scotia/freedom-of-inform...

[2] https://www.techdirt.com/2018/05/08/police-drop-charges-file...

replies(2): >>43965775 #>>43966581 #
7. koakuma-chan ◴[12 May 25 17:55 UTC] No.43965775{3}[source]
Why did they charge the teen and not the government of NS?
replies(1): >>43968295 #
8. secalex ◴[12 May 25 18:01 UTC] No.43965834{3}[source]
Depending on what he actually did to enumerate that database and whether he downloaded all that PII I think changes the risk profile.
9. tgsovlerkhgsel ◴[12 May 25 18:04 UTC] No.43965873[source]
Threats with the goal to prevent publication are incredibly common.

Following up on the threat is much less common, and the best way to prevent that (IMO) is to remove the motivation to do so: Once the vuln is public and further threats can not prevent the publication, just draw more negative attention to the company, the company has much fewer incentives to threaten or follow up on threats already made.

It's not a guarantee, you can always hit a vindicative and stupid business owner, but usually publishing in response to threats isn't just the right thing to do (to discourage such attempts) but also the smart thing to do (to protect yourself).

10. uneekname ◴[12 May 25 19:18 UTC] No.43966581{3}[source]
Genuine question, how could a well-formed HTTP request for a URL ever be considered unauthorized access? If I request something and someone responds...shouldn't it be their responsibility not to share important information?

Edit: should have read the linked article before commenting. It totally wasn't, and the charges were dropped...after thoroughly harassing the kid.

replies(1): >>43967505 #
11. Alex-Programs ◴[12 May 25 21:12 UTC] No.43967505{4}[source]
The mental and moral model used by programmers ("you own the backend; I own the frontend; if your backend returns stupid stuff to the frontend without me actively breaking into it, that's your fault") is not, as far as I can tell, shared by broader society.
12. 9283409232 ◴[12 May 25 23:08 UTC] No.43968295{4}[source]
Why did the government of Nova Scotia not charge itself?