Hacker News new | ask | show | jobs
by altacc 641 days ago
There's a big difference between announcing "I found all this private data" and "I found all this private data and here's exactly how I did it and here are the URLs". What the author has done is detail exactly how anyone else can abuse this system from anywhere in the world and also given them ideas about what to do with that information that would cause a direct cost to the company. I think that's irresponsible and unnecessary. You public disclosure rationale has some merit but it didn't require publishing the user manual for the attack. Just saying you used the API, publishing the amounts plus some proof of private data from people who have given consent would be enough to get the business scrambling.
2 comments
golol 641 days ago
This seems less like a "manual for attack" and more like tweeting that your local storage unit rental never puts locks on their garages and gates and "anyone could just walk in and out".
link
altacc 641 days ago
To expand your analogy can you see the difference between: "A storage unit I know of never uses locks" and "The storage unit at 1234 Central Boulevard, San Andreas never uses locks, just wiggle the door a bit and it'll open."

I think most people would acknowledge there's a big difference.

link
Wytwwww 641 days ago
That's not the same though at all.. A closer analogy would be publicly announcing that "Company managing the storage lockers 1234 Central Boulevard, San Andreas is keeping all of them unlocked without telling their customers".

Which would still be wrong but you're implying that the business is the victim here when it's the complete opposite.

link
golol 641 days ago
Yea sure it is a difference, but for me not outrageously immoral. I guess you can get in trouble though.
link
Wytwwww 641 days ago
> cause a direct cost to the company

Nothing wrong about that. Of course still doesn't justify publishing/providing access to client data who did nothing wrong.

link
altacc 638 days ago
Causing damage or cost to a company through fraudulent use would be the cornerstone of a civil or criminal prosecution. Cases where there is good disclosure and no cost incurred tend to get dismissed, cases where there is identifiable damages get stupidly big sentences and/or fines.
link