[tptacek]

I'm confused about the chronology here:

1. He discovers an unprotected database.

2. He mails the CEO of the company.

3. The database is fixed.

4. He mails the CEO again to say he's publishing.

5. The CEO replies and says there was no security breach.

6. He goes spelunking in the database tables to write a rebuttal?

How does step 6 happen? What has this person exfiltrated from the database, in advance of losing access to it in step 3?

[kruffalon]

If I read the article correctly step 6 was using data from a previous dump to access files now.

So say the dumped data contained the URL of a file and you couldn't get the URL now (due to step 3) but you can still download the actual file.

[chias]

TBH it sounds like he exfil'ed / downloaded the database before reporting.

[polynomial]

Isn't this a jurisdictional crime that a well connected CEO could get him in a lot of trouble for?

[grayhatter]

Step 6 happened because the CEO in his hubris, decided it would be in his best interests to threaten someone instead of being greatful.

Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.

You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.

[tptacek]

I'm wondering how it's possible that step 6 happened, not what the motivations are. It's written in multiple places as if database queries were issued after the database was taken down.

[TremendousJudge]

I think the data he discloses in the post is the one that he got before getting in contact with the company. He does this in order to prove that the database was accesible to anyone on the internet, instead of the "no breach at all" claimed on the response email.

[tptacek]

He writes as if he has access to large quantities of data after the CEO responded to him, which implies that it was after the exposed database was fixed, as the author acknowledges in the email he sent to the CEO.

[JayeLTee]

No I did not query the database after it was exposed.

The information I had was from when the database was publicly exposed.

I don't want to be too specific about the links for the files as I don't know if others accessed this information and could exploit it but they had the website path to download the files exposed on the database, you just needed to know what to add to it, I tried a few things from the information I had and found out they worked.

I would of probably skipped over this, but after their response I wondered if there was more to it.

The files were not stored on the database, they were on a cloud storage but that link made it so no authentication was required to access them (not an expert but would say some hard coded access keys or something similar).

[JayeLTee]

No I did not query the database after it was fixed.*

[grayhatter]

Did you not consider the CEO would just lie about fixing something?

[tptacek]

I assume the author isn't lying when they acknowledged that it had been.

[grayhatter]

I'm lost, what are you referring to? The author references the claim by the CEO, and then goes on to prove it was a lie.

That's a very common linguistical pattern.

[tptacek]

The email that the author sends to the CEO, in which his rationale for immediate disclosure is the fact that the database was fixed.