Hacker News new | ask | show | jobs
by LeifCarrotson 484 days ago
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.

This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.

I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.

But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
1 comments
azinman2 484 days ago
Shining a spotlight on an issue is completely different than the issue already existing.
link
cadamsdotcom 483 days ago
Not shining a spotlight is worse. The important thing is providing time to address the found vulnerability, ie. responsible disclosure. For which OP has indeed provided a timeline.

The debate has long since been settled comprehensively in favor of openness.

link
azinman2 483 days ago
2025-01-30: Hirsch asked for an update as to whether clients running vulnerable systems have been alerted (no response as of publication)

2025-02-14: CVE-2025-26793 assigned

2025-02-15: publication

So two weeks after they don’t respond what they’re going to do with their clients this gets published? I’d hardly call that responsible.

link
shawabawa3 483 days ago
I don't know why you picked a random date 2 weeks before publication instead of the relevant one:

2024-12-27: Current vendor of MESH identified as Hirsch (subsidiary of Vitaprotech Group) and contacted

They were contacted 7 weeks before publication

and

2025-01-11: Hirsch product security responds requesting details and are asked if they intend to alert clients

They responded 5 weeks before publication, and so were aware of the issue for at least 5 weeks before it was disclosed, during which time they did nothing about it

link
emmelaich 482 days ago
https://nvd.nist.gov/vuln/detail/CVE-2025-26793

"Awaiting Analysis This vulnerability is currently awaiting analysis."

link