[tdalaa]

Wow. Going on with your life as a C-level executive with this knowledge, as if it's just all good, is just insane. I'm sure they're in the clear personally now, but I can certainly see why they would wanna sell their company fast after gaining this knowledge in 2010.

[lisper]

> I'm sure they're in the clear personally now

Don't be so sure. If they didn't disclose this to their buyers they are guilty of fraud. The statute of limitations has probably run out (I don't know which state has jurisdiction here), but delayed discovery rules may apply.

[ballenf]

I'm not so sure it's fraud for 2 reasons: 1) how easy it would/should be for the buyer to discover the issue; 2) these transactions generally have very detailed disclaimers / disclosure -- basically making them 'as-is' transactions.

If I were a betting man, I'd bet the buyer knew about the issue and basically didn't care.

[dmix]

Yet security researchers go to prison for iterating the ID numbers in a URL to access private profile pages :/

This is negligent. If they are running banking ecommerce infrastructure and are unable to deal with 101 security risks then it is absolutely negligent. The "it is too complex for the average person" isn't an adequate defense.

The only thing is that there has to be someone who lost something of real value for it to go to court as negligence does it not?

[fulldecent]

This is good thinking. But you need iron tight wording when spelling this stuff out.

In your contact with companies you should say "Failing to fix this issue would be a violation of reasonably assumed security practices as required in LAW..."

[DaiPlusPlus]

Given my experiences with C-level executives it's unlikely the leadership thought this was a "real" security issue - and it is entirely possible that there haven't been any attacks made using this vulnerability - Zecco isn't Fidelity or MorganStanley.

Wouldn't the FTC want to know about this though, as this would be a great way to execute a pump-and-dump scam...