[beobab]

If your security is "http://example.com/1234/secret_data/", but 1234 is your customer number, and changing the customer number gives you someone else's data, then the analogy is more like:

"the sheriff has told everyone that there's a bad dude wandering round town trying doors, and [responsible citizen] noticed that everyone had identical door-keys which would open every lock".

Is that still creepy?

[jklein11]

I would find it creepy that someone was testing their key on other people's doors.

If I caught someone trying their key on my door I would call the cops, even if they said they were just testing it to see if it would work.

[mgkimsal]

who is the sheriff in this case?

[jermaustin1]

I'm the sheriff!

But all kidding aside, It sounds like the sheriff is the hacker. Who has discovered every lock is the exact same through investigation.

That said, a hacker isn't elected to protect people, they are doing it out of the "kindness" of their heart. What a lot of people get in trouble for is hacking first and asking for permission after.

If you go up to a company with a statement like: "I think you may have a vulnerability in your software. I haven't tested this hypothesis (you can verify in your logs), but with your permission, I could check it, and report back to you." Most companies would probably be thankful, others might instead get mad and handle it internally. But if you DON'T hack first, you have nothing to really worry about.

[TeMPOraL]

That seems unreasonable.

If I logged in to a service and saw an URL like http://example.com/1234/secret_data, calling them with a report of potential vulnerability would be a waste of their and my time 98% of the time. And there's infinite number of such "potential vulnerabilities" to report, too. Like on HN, I see I can edit my profile description over at https://news.ycombinator.com/user?id=TeMPOraL. I wonder what happens when I change the 'id' param? Better not try out, but call 'dang immediately!

Discovering an actual vulnerability in the first place requires doing something that could be considered hacking.

[esrauch]

You consider it "hacking" to change a url from example.com/1234 to example.com/1235?

[DerpStar_K]

Ask Weev, while being a troll... Apparently he gets to go to jail for using numbers at the end of a url... ICC ID... So you try one number than another, then disclose it, and yeah... Go to prison. Welcome to America.