[ntnn]

The person reporting the bug is not a professional bug hunter, he is a user.

About 1) - an incognito session wouldn't have had any impact on the situation. It's still the same IP the request comes form. Or a proxy? He's a user, not a security expert.

2) He did report it to Sentinel directly over non-open communication channels: https://www.reddit.com/user/notarealhacker/comments/7vpfdl/i... This is also clear from the text, I don't know where you got that from.

3) He didn't dispute that 21 people were affected. He disputed the number of 2000, because he tried numbers over 6000 - and since the id is apparently just an increment (which in itself is already a problem) the number is likely to be false.

From my POV he didn't do anything wrong. He noticed a possible bug, verified it and notified the company. Quite on the contrary - if he _had_ used a proxy and the authorities would've started an investigation to follow all requests it would've looked a lot worse for him.

[dpwm]

And fundamentally he did the most important thing: told them about it. They seem to have got the message that they needed to shut this thing down ASAP. It seems highly unlikely from the nature of the alleged negligence that they found this unauthorized access for themselves in the way they give the impression of.

The reddit post has been edited recently and takes away most of the content, but from the emails it definitely looks as if their "compliance team" is trying to scare.

My own personal experience having received many very scary letters is that it tends to be the ones that look the most terrifying that turn out to be the least to be feared, but there are definitely exceptions to this.

In any case, their message to the victims of their alleged negligence states that there was no malicious intent and should make any civil consequences rather difficult.

[eterm]

The recommendation of using incognito is to demonstrate he could access his own data without the appropriate session.

[ntnn]

Ah, that makes sense - thanks!

[cthalupa]

> The person reporting the bug is not a professional bug hunter, he is a user.

I am aware. This is why I said we need to make sure to attempt to inform people on how to handle these responsibly.

> an incognito session wouldn't have had any impact on the situation. It's still the same IP the request comes form. Or a proxy? He's a user, not a security expert.

An incognito session would mean he is not using his previous session to gain access. Authentication is more frequently tied to a session than an IP address - this is why you are still logged into HN if you change from your home network to a public wifi, or turn on a VPN.

> He did report it to Sentinel directly over non-open communication channels: https://www.reddit.com/user/notarealhacker/comments/7vpfdl/i.... This is also clear from the text, I don't know where you got that from.

He previously provided a link to a telegram chat specifically with 'You can verify what I said in the chat here'. He has since edited the post and is now claiming differently.

> He didn't dispute that 21 people were affected. He disputed the number of 2000, because he tried numbers over 6000 - and since the id is apparently just an increment (which in itself is already a problem) the number is likely to be false.

He disputed both.

>From my POV he didn't do anything wrong. He noticed a possible bug, verified it and notified the company.

Your POV is dangerous. I am not saying he needs to be blamed, but this is quite clearly the incorrect way to handle a data breach and we should educate people on how to do it better.

> Quite on the contrary - if he _had_ used a proxy and the authorities would've started an investigation to follow all requests it would've looked a lot worse for him.

Not if he only accessed his own data, which is part of my point. When looking for security holes or verifying they work you should /NEVER EVER/ purposefully access the data of anyone else. In some cases this is unavoidable - bugs can leak random data, you can't always set up a reproduction environment, etc - but in this case it was totally avoidable.

He should not be prosecuted. He should be educated. Everyone else should also be educated. The point isn't to berate him. He should be in contact with the authorities because he now has access to privileged information, and for all parties' good they need to be aware of who has access to that data so they know who they should speak to if it is used maliciously.

[ntnn]

> An incognito session would mean he is not using his previous session to gain access. Authentication is more frequently tied to a session than an IP address - this is why you are still logged into HN if you change from your home network to a public wifi, or turn on a VPN.

Yes, that you were aiming at the authentication session hadn't come to my mind as the vulnerability was access without authorization. In the case of a private session or proxy he'd still require a spam mail, create a separate account etc.pp. to just test this explicitly.

> He previously provided a link to a telegram chat specifically with 'You can verify what I said in the chat here'. He has since edited the post and is now claiming differently.

That is indeed bad.

> He disputed both. >> Later, The CEO, Roy Lai, confirms 'only' 21 people of 'over' 1000 were affected. I tried a fileId of over 6k and it works so you do the math, there were definitely more than 2k.

Unless he edited that as well he disputed the total, not the part.

> [...]

I concur, what seems to actually have happened is quite worse than the version I read.

[cthalupa]

> Later, The CEO, Roy Lai, confirms 'only' 21 people of 'over' 1000 were affected.

6000 is over 1000. 10000 is over 1000.

If anything the CEO would want to increase the second number. 21 out of 1000 is a worse ratio than 21 out of 10000 :)

[forgottenpass]

>This is why I said we need to make sure to attempt to inform people on how to handle these responsibly.

Yup, just tack that onto the ever-growing list of security stuff to teach users. How's the level of security knowledge among the general population coming along, by the way?

[cthalupa]

It being a difficult task doesn't mean it isn't necessary. People have eventually learned, over time, all sorts of things that weren't particularly intuitive at first. The general population is now well aware that smoking is bad for you, even though it took literally hundreds of years to get to that point.

The sarcasm isn't even particularly witty, because no one is under any illusions that this is an easy task.