Most active commenters
  • theultdev(3)
  • CelestialMystic(3)

←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 13 comments | 12 May 25 16:39 UTC | HN request time: 0.712s | source | bottom
Show context
michaelteter ◴[12 May 25 17:34 UTC] No.43965514[source]
Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.

https://georgetownvoice.com/2025/04/06/georgetown-students-c...

replies(10): >>43965600 #>>43965723 #>>43965782 #>>43966035 #>>43966222 #>>43966281 #>>43966578 #>>43967558 #>>43968803 #>>43969670 #
tmtvl ◴[12 May 25 19:18 UTC] No.43966578[source]
I vehemently disagree. 'Well, they didn't know what they were doing, so we shouldn't judge them too harshly' is a silly thing to say. They didn't know what they were doing _and still went through with it_. That's an aggravating, not extenuating, factor in my book. Kind of like if a driver kills someone in an accident and then turns out not to have a license.
replies(6): >>43966766 #>>43967142 #>>43967680 #>>43967819 #>>43968420 #>>43969894 #
LadyCailin ◴[12 May 25 20:30 UTC] No.43967142[source]
This is exactly why I think software engineering should require a licensing requirement, much like civil engineering. I get that people will complain about that destroying all sorts of things, and it might, yes, but fight me. Crap like this is exactly why it should be a requirement, and why you won’t convince me that the idea is not in general a good one.
replies(7): >>43967245 #>>43967271 #>>43967301 #>>43967749 #>>43967914 #>>43968373 #>>43970478 #
hackable_sand ◴[12 May 25 20:47 UTC] No.43967301[source]
Yes, I will happily fight against authoritarian takes cloaked in vagueries.
replies(1): >>43967479 #
1. jmb99 ◴[12 May 25 21:09 UTC] No.43967479[source]
I don’t believe engineering licensing is authoritarian, and I’d be interested in hearing why you believe that to be the case (especially, considering, most “real” engineering field have had licensing requirements for a century, without any real complaints against that process).
replies(3): >>43967602 #>>43967904 #>>43968543 #
2. theultdev ◴[12 May 25 21:26 UTC] No.43967602[source]
You don't see how gate-keeping who can create software is authoritarian?

The distinction between creating virtual software and physical structures is fairly obvious.

Of course physical engineers that create buildings and roads need to be regulated for safety.

And there are restrictions already for certain software industries, such as healthcare.

Many other forms of software do not have the same hazards so no license should be needed, as it would be prone for abuse.

replies(1): >>43967872 #
3. alpaca128 ◴[12 May 25 22:01 UTC] No.43967872[source]
I agree creating software in general shouldn't be gatekept, but requiring that app developers who process PII have more to show than vibe-coding experience would probably be beneficial.

I don't think anyone is proposing that Flappy Bird or Python scripts on Github should be outlawed. Just like you can still build a robot at home but not a bridge in the town center.

replies(2): >>43968048 #>>43970506 #
4. s1artibartfast ◴[12 May 25 22:06 UTC] No.43967904[source]
There are pretty major exceptions to what require engineering licenses, and it is pretty unclear where software should fall in.

You can sign a liability waiver and do all sorts of dangerous things.

>most “real” engineering field have had licensing requirements for a century, without any real complaints against that process).

Most newer engineering fields are trending away from licensing, not towards it. For example, medical device and drug engineering doesn't use it at all.

replies(1): >>43968751 #
5. theultdev ◴[12 May 25 22:29 UTC] No.43968048{3}[source]
OP didn't qualify the statement "This is exactly why I think software engineering should require a licensing requirement".

No mention of PII or any specifics.

SWE already has regulations. I see no need for a license requirement...

Concerning PII, it's kind of hypocritical for the gov to regulate when the NSA was proven to be collecting data on everyone against their will or knowledge.

replies(1): >>43968716 #
6. ikiris ◴[12 May 25 23:55 UTC] No.43968543[source]
They believe any regulation is authoritative overreach so I doubt you're gonna get anywhere.

Check their comments there's screeds about compelling labor over like basic concepts.

7. LadyCailin ◴[13 May 25 00:31 UTC] No.43968716{4}[source]
I’m happy to discuss specifics, so long as they don’t start with the premise “regulation is authoritarianism” and also are in good faith. Kids don’t have to have an engineering license to build a bridge out of popsicle sticks, I doubt you think that someone saying “building a bridge should require a civil engineering license” should apply to that. I’m not unreasonable. I just think there has been entirely too much demonstrated harm to start with the premise of “anyone can build any software they want at any time, with zero liability”.

These students may be liable for things after the fact, but that is hardly any consolation to the people that may have had their intimate personal data leaked. Even if they are successfully sued by everybody on the site, how much money could they possibly squeeze out of a bunch of college students? I don’t know how you can prevent this without some up front thing, such as a license, rather than making them liable after the fact.

replies(1): >>43970620 #
8. degamad ◴[13 May 25 00:39 UTC] No.43968751[source]
> medical device and drug engineering

is a special case exception, where rather than requiring licensing for the engineers building the product, we put detailled restrictions and regulations on what needs to be done (extensive testing, detailled evidence, monitoring programs, etc) before the product can be sold or marketed.

That is hardly an example of a field where risk-taking is encouraged and unlicensed persons are able to unleash their half-developed ideas on the public.

Do you have any other examples of fields which are "trending away" from licensing?

replies(1): >>43974213 #
9. CelestialMystic ◴[13 May 25 07:43 UTC] No.43970506{3}[source]
You aren't thinking through the broader implications.

Will I need a license if Flappy Bird has a online function for uploading high scores to a leader table stored online somewhere?

Will I need a license to put a PR on Github?

10. CelestialMystic ◴[13 May 25 08:04 UTC] No.43970620{5}[source]
You and many others (reading through the comments) are pretending that an information leak is on the same scale and severity as major safety concerns people may have about the safety of physical structure. It is obviously asinine comparison and why you will always get such push-back and people instinctively know they fundamentally different.

You also haven't thought about how many unintended consequences it will have. It will affect things like open source, hiring and how it will affect smaller niche cultures that rely on pseudo-anonymity or just want to do fun things.

Just off the top of my head:

Am I going to need a license to build a EDuke32 package for AUR?

Am I going to need a license to add a plugin to a piece of software?

Will I need a license to stick a gist on github?

Many people that currently make the laws in industry (just look at the UK online safety act) don't understand/won't care about any of the nuance.

>I just think there has been entirely too much demonstrated harm to start with the premise of “anyone can build any software they want at any time, with zero liability”.

Actually it is the opposite. I and many others could argue that it has improved the world immensely. I can talk to people that share my interests from all around the globe, I have the ability to work internationally and never leave my home. I've just recently I've taught myself how to fix many of my own vehicle problems at home using Youtube and do some basic maintenance around the house.

I can get any niche product delivered to my door in a matter of days. All of these are massively positives that have benefited the world immeasurably.

> These students may be liable for things after the fact, but that is hardly any consolation to the people that may have had their intimate personal data leaked. Even if they are successfully sued by everybody on the site, how much money could they possibly squeeze out of a bunch of college students? I don’t know how you can prevent this without some up front thing, such as a license, rather than making them liable after the fact.

A license will guarantee nothing. You should assume that anything you put online can be leaked. I can control the amount of information I put on most sites by either giving them false information or being pseudo-anonymous / anonymous.

However regulation in my country is going to force photo ID for platforms such as Discord (and many others) under the guise of age checks. This will mean that I have to give a third party my ID which has all my data or not use the service. This will tie my identity on Discord (which is pseudo-anonymous) to my Discord account.

So licensing/regulation actually guarantees more data leaks. Because I can't vet the company that deals with the ID check, not can I easily circumvent information gathering. Sure I will probably be able to defeat most of this with a VPN. But it is more of a PITA.

replies(1): >>43973607 #
11. theultdev ◴[13 May 25 14:50 UTC] No.43973607{6}[source]
This was beautifully constructed, and I wish you got a reply.

I appreciate the effort.

replies(1): >>43973819 #
12. CelestialMystic ◴[13 May 25 15:11 UTC] No.43973819{7}[source]
Thanks. I think it is very easy for people to focus on a lot of the negatives about the tech over the last 25 years and demand regulation, without recognising the huge amount of innovation that took place because people were allowed to try things.
13. s1artibartfast ◴[13 May 25 15:45 UTC] No.43974213{3}[source]
Aerospace and Automotive engineering would be more examples, and then the obvious case of software and hardware engineering.

As you point out, the trend is for self certification and government review, like is done for medicine, aircraft.

I don't think these are special cases, but the norm for any field developed after the 60's or so.

>risk-taking is encouraged and unlicensed persons are able to unleash their half-developed

That's your hostile strawman, not mine.