[intern4tional]

This isn’t owning fast food chains; rather compromising some AI startup that has some of them as a customer.

Title is misleading.

[MrBruh]

It exposed PII of the managers & employees of ~half of the most popular fast food companies.

Personally I feel the title is justified but I understand and respect your viewpoint.

Also keep in mind that trying to clarify the such would also make the title much longer than I desired.

[borissk]

Aren't you afraid one of the companies involved may file a complain with FBI or police and get you arrested?

[buffington]

Arrested for what? The system gave them permissions, they didn't exfil data, and they disclosed it to the company. He did those companies a favor by showing them how vulnerable they are by outsourcing every operation and process in pursuit of profits.

[intern4tional]

Title: I pwned Chattr.ai via Firebase misconfiguration

That’s what you should call it. It explains to readers what’s going on without over sensationalism.

That isn’t too long either.

[namdnay]

that's a bit unfair, I think it's pretty important that it has real world consequences. nobody knows what Chattr is and who their users are

[thaumasiotes]

> This isn’t owning fast food chains; rather compromising some AI startup that has some of them as a customer.

By this argument, getting access by phishing a company employee also wouldn't count as an attack on the company.

[intern4tional]

No, as company employee is directly tied to and the responsibility of the company.

These companies are responsible for their employees behavior and data but they are not responsible for nor legally liable for (in most cases, some exceptions apply) the actions of a third party that they have retained to help with hiring.

In fact the contract they have with said third party likely absolves them of any liability.

The title should be: I owned an AI startup via Firebase misconfiguration.

You can even name the startup if you want. That’s not flashy though and this person wants marketing.

[mellosouls]

TBF your proposed title is less snappy.

[intern4tional]

Of course, but it that’s good in most cases as then you don’t get an overreaction.

The right people will read it (Chattr.ai’s customers) and respond . Right now everyone looks at it and some CISO will overreact and make everyone go check their Firebase configurations which may likely be a non-value add.

[isatty]

I think it’s incomplete. The startup needs to be named and shamed on the title.

[giaour]

The article is not shy about naming the startup (chattr.ai)

[intern4tional]

I don’t disagree with this either, I just didn’t think of it when I put my response in.

Naming and shaming does work.