[tomalaci]

In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.

I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.

I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?

[mpeg]

Author is in India, I would be very careful because it's much more likely the government will prosecute them for unauthorised access and irresponsible disclosure than do anything to the company.

Truth is even in the west this kind of irresponsible disclosure could land you in jail, much more so in a developing country where these laws are all relatively new.

[krsdcbl]

Fully agree with you!

The API being unauthd is clearly a core design choice, and finding out any customer or service data is openly accessible with consecutive numbers through that API is not a zero day or something.

There is no "responsible disclosure" to be made here, going to the company and explaining what's the issue with all of this amounts to "handing out free consulting" if anything

[mpeg]

Unfortunately that is not how the law works, at least in most countries. As soon as you enumerate ids regardless of whether there is any security in place it is unauthorised access and it's illegal.

[komali2]

Right, I believe they're posting as if the ethical standpoint is normalized, to further highlight the absurdity and injustice of the current legal framework.

[tsimionescu]

Why is it unjust to prosecute people who harm a business and unsuspecting customers of that business by disclosing 0-day vulnerabilities publicly without giving them even a chance to patch?

The poster here has no proof that the vulnerability was already being exploited. For all we know, as obvious as this was, no one else had yet thought to look.

This is like going around people's house doors, testing to see if they are unlocked, and if they are, posting a big sign saying "unlocked door" on each one. It's obviously an anti-social act masquerading as benevolent, and it should be punished. Of course, the company running such highly vulnerable code should also be punished, but that doesn't absolve anyone.

[komali2]

Your metaphor is a big stretch. We're talking about a business and the expectations we should have for businesses.

Noticing an overhead pipe at McDonald's is dripping onto the griddle and pointing it out to people isn't harming the business, it's pointing out the business' gross negligence.

[tsimionescu]

I don't agree with your alternate metaphor. In your example, publicly pointing out the leaking pipe can't cause any damage to the existing clients. In this case, publicly pointing out an exploitable vulnerability that gives access to personal information does bring extra harm to the customers.

If you want, a more apt comparison might be going around a business park and sticking big signs on every unlocked archive door you find. The companies not properly locking the doors are at fault, and customer data may already have leaked; but, you are virtually guaranteeing that even more customer data will leak by doing this. It should absolutely be illegal.

[pnt12]

Seems outlandish. Citation needed? I'm aware of a couple of cases in the US, but not all over the world.

Secondly: can consumers be blamed for gross negligence? It's not reasonable for a bank to post account balances in public billboard and ask people not to look at others. We should contest when private data is available publically, hidden only by small obfuscations, not professional security practices.

[mpeg]

So for example in the UK with the computer misuse act, intent matters. If you intentionally change an id because you expect you will be able to access other data it becomes a crime.

Your example is flawed because in this case the private data was not made available publicly at all – you need to intentionally exploit a software flaw to access it.

Of course, it also matters how you handle it. If you do enough to just discover the flaw, try to adhere to the bug bounty program scope (if any), use your own accounts in testing and responsibly disclose any findings as soon as you have a poc then you'll probably be ok.

In this case the author went way beyond just finding the flaws, and then disclosed it publicly in a completely irresponsible way without even trying to contact the company or any of the clients affected by it (some of which will certainly have a security contact that can liaise with the vendor)

[pnt12]

I concede that intent matters.

Maybe a better analogy is a bank with open lockers and no vigilance: if someone enters and steals money, the police will look for them, because "the coffers were open" is not a valid defense. But customers will also demand answers from the bank - why were they so negligent and incompetent that someone can just enter and get their money?

We should hold similar values for digital systems.

Was the author's intent on stealing private data and causing harm? Did he gain from this abuse? Did the company take enough measures to safeguard their data?

Companies have been mostly not held responsible for their fuck ups, and no matter the law, that's wrong to me.

[tsimionescu]

There are exactly two activities you can be participating in if you are exploring someone else's undocumented API: (1) free consulting, or (2) illegal hacking. Disclosing vulnerabilities you found in someone else's product, regardless of how obvious, is free consulting. If you're not responsibly disclosing them, then you were illegally hacking their systems.

[thinkingemote]

Just because someone or something is unethical doesn't mean we should be unethical as a response.

We shouldn't limit ourselves to only be responsible and disclose properly when the vulnerability suits us.

That is both unfair and irrational.