[supermatou]

Be very, very careful - as ANYTHING you do might land you in hot water. Better consult a lawyer before doing anything.

Personal anecdote: some years back, I was working with a major government agency and I uncovered a huge security problem (a print queue was unprotected and any user could read the ultra-secret, world's-fate-altering documents). I promplty reported the issue and, instead of a commendation, I nearly got myself arrested.

Legal aspects and institutional rules can be complex and counter-intuitive - they can punish even the Good Samaritan!

Again: consult a lawyer before doing anything.

[Clubber]

Recently the governor of Missouri, Parson, tried to prosecute a professor who found a huge leak of teacher data. The professor informed the state about it before writing any articles on it and made sure it had been fixed. It just embarrassed the governor, who's office was responsible for security. The governor then proceeded to embarrass himself even more by calling him a hacker (it was raw html) and threatening prosecution and ordering a two year investigation. The professor still had to hire a lawyer and deal with this for two years.

https://krebsonsecurity.com/2022/02/report-missouri-governor...

[RajT88]

It changes nothing about your post, but I believe it was Base64 Encoded session state.

Within the raw HTML certainly, but not quite cleartext.

[JoBrad]

It’s essentially the same. If anyone even searched for that info, several search engines could decode it automatically.

[QuercusMax]

If I see a base64 blob in a webpage, you can bet I'm going to decode it.