| > The person reporting the bug is not a professional bug hunter, he is a user. I am aware. This is why I said we need to make sure to attempt to inform people on how to handle these responsibly. > an incognito session wouldn't have had any impact on the situation. It's still the same IP the request comes form. Or a proxy? He's a user, not a security expert. An incognito session would mean he is not using his previous session to gain access. Authentication is more frequently tied to a session than an IP address - this is why you are still logged into HN if you change from your home network to a public wifi, or turn on a VPN. > He did report it to Sentinel directly over non-open communication channels: https://www.reddit.com/user/notarealhacker/comments/7vpfdl/i.... This is also clear from the text, I don't know where you got that from. He previously provided a link to a telegram chat specifically with 'You can verify what I said in the chat here'. He has since edited the post and is now claiming differently. > He didn't dispute that 21 people were affected. He disputed the number of 2000, because he tried numbers over 6000 - and since the id is apparently just an increment (which in itself is already a problem) the number is likely to be false. He disputed both. >From my POV he didn't do anything wrong. He noticed a possible bug, verified it and notified the company. Your POV is dangerous. I am not saying he needs to be blamed, but this is quite clearly the incorrect way to handle a data breach and we should educate people on how to do it better. > Quite on the contrary - if he _had_ used a proxy and the authorities would've started an investigation to follow all requests it would've looked a lot worse for him. Not if he only accessed his own data, which is part of my point. When looking for security holes or verifying they work you should /NEVER EVER/ purposefully access the data of anyone else. In some cases this is unavoidable - bugs can leak random data, you can't always set up a reproduction environment, etc - but in this case it was totally avoidable. He should not be prosecuted. He should be educated. Everyone else should also be educated. The point isn't to berate him. He should be in contact with the authorities because he now has access to privileged information, and for all parties' good they need to be aware of who has access to that data so they know who they should speak to if it is used maliciously. |
Yes, that you were aiming at the authentication session hadn't come to my mind as the vulnerability was access without authorization. In the case of a private session or proxy he'd still require a spam mail, create a separate account etc.pp. to just test this explicitly.
> He previously provided a link to a telegram chat specifically with 'You can verify what I said in the chat here'. He has since edited the post and is now claiming differently.
That is indeed bad.
> He disputed both. >> Later, The CEO, Roy Lai, confirms 'only' 21 people of 'over' 1000 were affected. I tried a fileId of over 6k and it works so you do the math, there were definitely more than 2k.
Unless he edited that as well he disputed the total, not the part.
> [...]
I concur, what seems to actually have happened is quite worse than the version I read.