[madaxe_again]

You need to be very, very careful about posting this, depending on your jurisdiction - in most western countries this disclosure is illegal, and you can be criminally prosecuted for providing information about accessing personal information, and you are also admitting that you knowingly accessed the personal information of other customers - in fact, airline passengers, who there are additional privacy laws for.

What you’ve done here is a criminal act according to the CFAA, and your exploration of their site could also be construed as wire fraud. As you’ve done this across state lines this is also a federal felony. You’re also in violation of the GLBA, as you’re disclosing the availability of airline customer information. You could also fall foul of the FTC and the wiretap act.

I have seen people (Weev, Michael Brown, numerous others) go to prison for similar, and this lot could win you years in a federal penitentiary.

Please, consider the legal consequences this could bring upon you.

I would simply forget about it and promptly delete this - it’s their problem, not yours, and by posting about it here, they could decide to make it your problem.

[StressedDev]

I am not a lawyer but this line of thinking does not make sense to me. First, poster did not post any personal information. Second, the poster responsibly disclosed the bug to Alaska Airlines but Alaska did not fix it. The poster is now publicly disclosing that the bug exists. Note that the poster did not include repo steps for the bug.

The bottom line is we need a mechanism to ensure security bugs are fixed. Publicly disclosing security bugs when an organization does not fix the bug is a good way to do this.

Note this practice started in the 1980s or early 1990s because software venders refused to fix security bugs. The full disclosure movement was created because security researchers wanted the bugs fix and publicly disclosing them was the only way to get some organizations to fix their security bugs.

[madaxe_again]

Yeah, that’s all nice and all but it’s irrelevant in the eyes of the law.

Not posting personal information is irrelevant - that he has accessed it and admits doing so, is.

Prior disclosure is irrelevant. There’s case law that makes this clear.

Not including repro steps is irrelevant as merely disclosing the presence of a vulnerability is enough to fall foul of the CFAA, as the reasonableness test is whether a competent person could with the knowledge given reproduce the vulnerability, to which the answer is almost always yes. They also admit using the vulnerability, which is definitely a violation of the CFAA.

I agree wholeheartedly with your sentiment that this is nuts, but this is the way the law has been written and applied, and he is taking a serious risk with this disclosure.

[rascul]

They clicked an ad. What did they do that's illegal?