[noobermin]

I get it, be aware of what you post on facebook, but does this not rub anyone else the wrong way?

Imagine you break into your friend's car, and rewrire the stereo system so the left speaker doesn't work. Then, you say, "yo, I broke into your car and rewired things. The locks on this car are faulty, better let the car manufacturer know. I should contact them myself and collect my bug bounty." And when your friend, a decent chap, thinks you're joking, and finds out you're not kidding, is his response supposed to be, "Oh shit, you're right. You could have just [rewired my speaker system]. This is crazy." or instead, would he no longer be your friend, and probably report you to the police?

[Kudos]

Analogies almost always make for tedious discussions.

[noobermin]

I grant you that. I am trying to make a general point about whether you should do 'x' just because you can or to prove a point.

[Deestan]

> Imagine you break into your friend's car

Bad comparison. Breaking into a car is a locally constrained high-risk attack vector.

This is a low-risk unconstrained attack vector. A bored person anywhere in the world could fuck their shit up with no risk or consequence.

[noobermin]

Alright, say their car is unlocked and you rewire the stereo to teach your friend not to leave their car unlocked. Or a better example is surprising them with their car insurance card from the glove compartment to prove you got into their car. The act of intruding into someone's vehicle in and of itself is an unwelcome act, even if it is to teach good lessons. The same is true for this I think.

I always feel that pointing out vulnerabilities is okay. Penetrating to point it out is another thing altogether. Continuing the analogy here would be pointing out to your friend that they shouldn't leave their car unlocked rather than entering and making a mess of things.[0]

And sure, bored person anywhere can do lots of damage and may be your damage won't be as bad, but just the act of going through someone's belonging is unwelcome.

[0] Also, there's a huge difference I feel from penetrating systems from orgs that have dedicated security teams...and picking on a private individual to make a point.

[et-al]

It could be posting to Instagram, where a good number of people don't have their accounts set to private.

Someone could write a bot to scrape Instagram for photos with #airport #[name of airline] #[airport code], identify photos with tickets, and steal information that way.