←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
570 points bearsyankees | 3 comments | 12 May 25 16:39 UTC | HN request time: 0.623s | source
Show context
andrelaszlo ◴[12 May 25 18:15 UTC] No.43965977[source]
Oops! Nice find!

To limit his legal exposure as a researcher, I think it would have been enough to create a second account (or ask a friend to create a profile and get their consent to access it).

You don't have to actually scrape the data to prove that there's an enumeration issue. Say your id is 12345, and your friend signs up and gets id 12357 - that should be enough to prove that you can find the id and access the profile of any user.

As others have said, accessing that much PII of other users is not necessary for verifying and disclosing the vulnerability.

replies(1): >>43966460 #
ofjcihen ◴[12 May 25 19:03 UTC] No.43966460[source]
This is the standard and obvious way to go about things that most security researchers ignore.

While you can definitely want PII protected and scrape data to prove a point it’s unnecessary and hypocritical.

replies(1): >>43969171 #
strunz ◴[13 May 25 02:20 UTC] No.43969171[source]
Eh, part of assessing the vulnerability is how deep it goes. Showing that there were no gates or roadblocks to accessing all the data is a valid thing to research, otherwise they can later say "oh we hade rate limiting in place" or "we had network vulnerability scanners which would've prevented a wholesale leak".
replies(1): >>43972721 #
1. ofjcihen ◴[13 May 25 13:27 UTC] No.43972721[source]
That’s not how web app vulnerabilities work and it would be easy to counter that handwaving with “hackers know what FireProx is”.
replies(1): >>44077558 #
2. SeaScythes ◴[23 May 25 23:33 UTC] No.44077558[source]
Hey there--pentester, security researcher, and bug bounty hunter here.

"Demonstrating impact" is common practice. The presence (or non-presence) of rate limiting controls, such as those alluded to by the commenter above, can play into the risk assigned to a vulnerability, and may be difficult to ascertain without actually attempting an otherwise theoretical attack. This also has the effect of indicating whether the target has adequate detection capabilities, which is important information.

Demonstrating impact is also just sometimes necessary to convey urgency to leadership; hand waving is common. Alternatively, some organizations may silently patch without performing a responsible disclosure, such as was the case with this article. Having hard proof that the attack was 1) viable and 2) not detected is critical information in the event that you must disclose to the public.

As an aside, from your history:

> My one gripe with HN is that people say incorrect things with complete confidence pretty regularly and you can only Detect it if you know the subject matter.

Welcome to being part of the problem. Remember the feeling.

replies(1): >>44098001 #
3. ofjcihen ◴[26 May 25 14:52 UTC] No.44098001[source]
Also a security professional, pentester, bug bounty hunter, multitude of other irrelevant self-imposed titles owner here.

You’ve demonstrated impact by small amounts of enumeration. If you had any real experience in bug bounty contracts you would know 2 things:

Almost all contracts ask you not to enumerate the entire data set as 2 or 3 records is enough (again, that’s how security controls work) and no one is interested in hearing about rate-limiting on public bounties. Pentesting sure, but that’s not what we’re talking about.

Source, 2 decades in the security industry at large in all kinds of positions.

And a note for future reference. If you think I’m out of line for my snark then don’t give what you can’t take.

Edit: Oh, and as someone on both sides of the fence enumerating an entire data set against scope is in the top ten reasons people get booted from programs. To anyone else seeing this chain: don’t do it. YOU DO NOT NEED TO TO PROVE IMPACT. Respect people’s privacy.