←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 2 comments | 12 May 25 16:39 UTC | HN request time: 0.426s | source
Show context
michaelteter ◴[12 May 25 17:34 UTC] No.43965514[source]
Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.

https://georgetownvoice.com/2025/04/06/georgetown-students-c...

replies(10): >>43965600 #>>43965723 #>>43965782 #>>43966035 #>>43966222 #>>43966281 #>>43966578 #>>43967558 #>>43968803 #>>43969670 #
tmtvl ◴[12 May 25 19:18 UTC] No.43966578[source]
I vehemently disagree. 'Well, they didn't know what they were doing, so we shouldn't judge them too harshly' is a silly thing to say. They didn't know what they were doing _and still went through with it_. That's an aggravating, not extenuating, factor in my book. Kind of like if a driver kills someone in an accident and then turns out not to have a license.
replies(6): >>43966766 #>>43967142 #>>43967680 #>>43967819 #>>43968420 #>>43969894 #
LadyCailin ◴[12 May 25 20:30 UTC] No.43967142[source]
This is exactly why I think software engineering should require a licensing requirement, much like civil engineering. I get that people will complain about that destroying all sorts of things, and it might, yes, but fight me. Crap like this is exactly why it should be a requirement, and why you won’t convince me that the idea is not in general a good one.
replies(7): >>43967245 #>>43967271 #>>43967301 #>>43967749 #>>43967914 #>>43968373 #>>43970478 #
1. jasonfarnon ◴[12 May 25 23:23 UTC] No.43968373[source]
" Crap like this is exactly why it should be a requirement, and why you won’t convince me that the idea is not in general a good one."

If you're looking for a regulatory fix, I would prefer something like a EU-style requirement on handling PII. Even the US model--suing in cases of privacy breaches--seems like it could be pretty effective in theory, if only the current state of privacy law was a little less pro-corporate. Civil suits could make life miserable for the students who developed this app.

replies(1): >>43968733 #
2. LadyCailin ◴[13 May 25 00:36 UTC] No.43968733[source]
I can buy that. If I were dictator of the world, I wouldn’t say “making pong clones requires a license”. Even if you grossly negligently screw up the scoring system in your clone, I wouldn’t say you should be liable for anything. I think there are probably more cases where liability should exist, even without processing of personal data of any sort, and I don’t have an easy “one size fits all” regulation in mind either, it’s surely not going to be that easy, and I fully acknowledge that. I just wish we as an industry would start having that conversation in good faith.