I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)

561 points bearsyankees | 2 comments | 12 May 25 16:39 UTC | HN request time: 0.477s | source

Show context

andrelaszlo ◴[12 May 25 18:15 UTC] No.43965977[source]▶

Oops! Nice find!

To limit his legal exposure as a researcher, I think it would have been enough to create a second account (or ask a friend to create a profile and get their consent to access it).

You don't have to actually scrape the data to prove that there's an enumeration issue. Say your id is 12345, and your friend signs up and gets id 12357 - that should be enough to prove that you can find the id and access the profile of any user.

As others have said, accessing that much PII of other users is not necessary for verifying and disclosing the vulnerability.

replies(1): >>43966460 #

ofjcihen ◴[12 May 25 19:03 UTC] No.43966460[source]▶

>>43965977 #

This is the standard and obvious way to go about things that most security researchers ignore.

While you can definitely want PII protected and scrape data to prove a point it’s unnecessary and hypocritical.

replies(1): >>43969171 #

1. strunz ◴[13 May 25 02:20 UTC] No.43969171[source]▶

>>43966460 #

Eh, part of assessing the vulnerability is how deep it goes. Showing that there were no gates or roadblocks to accessing all the data is a valid thing to research, otherwise they can later say "oh we hade rate limiting in place" or "we had network vulnerability scanners which would've prevented a wholesale leak".

replies(1): >>43972721 #

2. ofjcihen ◴[13 May 25 13:27 UTC] No.43972721[source]▶

>>43969171 (TP) #

That’s not how web app vulnerabilities work and it would be easy to counter that handwaving with “hackers know what FireProx is”.

↑