[potatofrenzy]

> This "aCropalypse" event is an example of how making the wrong triage of an issue report can turn out very expensive. All the costs to the world of aCropalypse could've been averted.

Not trying to be facetious, but... what costs? It is unlikely that this cost the company any substantial amount. It probably wasn't even a whole lot of extra work for the PR department, as the bug didn't generate mainstream headlines.

[neilv]

The unquoted sentence after that was "Some of those costs might eventually come back to the company." Which I distinguish from "costs to the world" in the quoted sentence.

By costs to the world I'm thinking all the things that happen because something a user cropped out was revealed because it wasn't really cropped.

Hypotheticals to illustrate costs to the world:

* A company loses a big business deal because IP/plans leaked to competition in reverted-crop.

* A medical provider and personnel get hit by lawsuit and/or HIPPA for patient data de-anonymized due to reverted-crop of an image.

* Someone gets harassed at their workplace when a reverted-crop adult photo revealed their identity and gets circulated among colleagues.

* Semi-automated extortion rackets, going through troves of images, looking for revertible cropping.

* Other businesses caught in the middle of this have to expend resources to mitigate, or even deal with liability for depending on or assuming correctness of third-party tech behavior, etc.

Maybe luck is with us, and not a single instance of harm to the world actually happens. Or maybe there are many such instances of harm to the world.

Regarding costs to the world eventually coming back to a company -- speaking in general, not of this particular situation -- I think that could come in forms including: brand damage, lost business, lawsuits from those harmed, undesirable turns in legislation, regulatory fines, etc.

[tgv]

> the bug didn't generate mainstream headlines

So ... yesterday it turned out that Microsoft had the control over a certain Bing's search results wide open to anyone with an Azure account, and that enabled anyone to get access to and control over the Azure services of everyone that used Bing for these specific searches. There were probably other ways too, but that hasn't been disclosed or investigated. And it is --of course!-- unknown if this attack ever happened in real life: there were no logs.

That's quite the problem, wouldn't you say? Well, did you see mainstream articles? There was only an article in The Reg, which attracted a mere 11 replies. It simply doesn't get attention, probably because it was framed as "a misconfiguration", yet the costs could be staggering.