←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 5 comments | 12 May 25 16:39 UTC | HN request time: 1.026s | source
Show context
michaelteter ◴[12 May 25 17:34 UTC] No.43965514[source]
Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.

https://georgetownvoice.com/2025/04/06/georgetown-students-c...

replies(10): >>43965600 #>>43965723 #>>43965782 #>>43966035 #>>43966222 #>>43966281 #>>43966578 #>>43967558 #>>43968803 #>>43969670 #
genewitch ◴[12 May 25 17:50 UTC] No.43965723[source]
i have an idea, if you don't know anything about app security, don't make an app. "Whataboutism" not-withstanding, this actually made me feel a little ill, and your comment didn't help. I have younger friends that use dating sites and having their information exposed to whoever wants it is gross, and the people who made it should feel bad.

They should feel bad about not communicating with the "researcher" after the fact, too. If i had been blown off by a "company" after telling them everything was wide open to the world for the taking, the resulting "blog post" would not be so polite.

STOP. MAKING. APPS.

replies(5): >>43965917 #>>43966137 #>>43966193 #>>43967241 #>>43967547 #
ghssds ◴[12 May 25 18:38 UTC] No.43966193[source]
Programming should require a gouvernment-emited license reserved to alumni of duly certified schools. Possession of a turing-complete compiler of interpreter without permission should be a felony.
replies(2): >>43966667 #>>43967296 #
1. yamazakiwi ◴[12 May 25 19:28 UTC] No.43966667[source]
You’ve successfully contributed 20 pts to your institutional privilege score; Impressive! You're just one step away from your next badge:

"Class Immobility" (95% of users unlock this without trying!)

How to unlock: Be denied access to an accredited education. Work twice as hard for half the recognition. Watch opportunities pass you by while gatekeepers congratulate themselves!

replies(2): >>43966715 #>>43968089 #
2. pixl97 ◴[12 May 25 19:34 UTC] No.43966715[source]
While previous is an over reactions, the wild west free for all we have is also a problem.

At the end of the day the masses will finally get tired of the fuckery of programmers doing whatever they want and start putting laws in place, and the laws will be passed by the stupidest people among us.

Programmers now should start looking into standards of professional behaviors before they are forced on them by law.

replies(1): >>43966765 #
3. yamazakiwi ◴[12 May 25 19:39 UTC] No.43966765[source]
The problem isn't that anyone has access to programming, it's that corporate incentives prioritize profit over quality, security, and ethics.

And sure, if your follow-up is "that won’t change," I get it, but that doesn’t mean the open nature of programming is the problem.

>At the end of the day the masses will finally get tired of the fuckery of programmers doing whatever they want and start putting laws in place, and the laws will be passed by the stupidest people among us.

I agree laws will pass eventually but it won't start from the people. They rarely even think or hear about software security as something other than an amorphous boogie man, and there are no repercussions so any voices are easily forgotten. Eventually, it will be some big tech corp executive or politician moving into government convincing them to create a security auditing authority to extract money from these companies and/or shut them down.

I'm sure we can find some holier than thou types to fill chairs with security auditors for the new "SSC" once it's greenlit.

4. GuinansEyebrows ◴[12 May 25 22:35 UTC] No.43968089[source]
We could probably stand to stop treating software engineering like some holy calling for geniuses only and start treating it for what it is: a skilled trade that can be regulated and accredited like all the rest of them. It's really not a wild idea and it wouldn't stop kids (or anyone, really) from learning on their own. My parents taught me how to use tools as a kid and I learned how to fix my own toilet, but I didn't decide that made me qualified to go start plumbing professionally without apprenticing first.
replies(1): >>43968232 #
5. yamazakiwi ◴[12 May 25 22:55 UTC] No.43968232[source]
I completely agree! Thank you for this