[unreal37]

It sounds like it wasn't launched yet. The founders say they built it for themselves and their friends to start. Someone discovered the URL and posted it to Hacker News.

They probably should have shut it down or disabled registrations once it got out until it was tested.

[Silhouette]

> It sounds like it wasn't launched yet. [...] Someone discovered the URL and posted it to Hacker News.

Sorry, but if you put a public site on the Internet, somewhere it can be discovered, and you are prompting people to put in sensitive credentials on that site, then you have launched for practical purposes. You should be implementing security measures accordingly.

If you're not ready for that and just want to show friends, it's not exactly rocket science to add basic HTTP Auth to the site, lock it to specific IP addresses, or any number of other trivial measures that would have prevented this problem.

[jspthrowaway]

Friends are customers, too. One row in your database is a customer.

Before ever putting a service up on the public Internet (service defined here as "accepts arbitrary requests" and "delivers arbitrary responses"), I would hope every human being that knows his way around a text editor treats user data like the Dead Sea Scrolls. If you store a row in a database, you then think of every way that an unauthorized party can gain access to that row and close each in multiple ways. I can recite dozens of cases where user data hasn't been treated with the respect it deserves (i.e., every single Bitcoin disclosure due to newer developers running sites that are handling money).

If people took user data more seriously than they do in general, we'd have a lot less leaks. Imagine if this had gone undiscovered and the service took off? Imagine how many undiscovered vulnerabilities there are in there, with this track record to start?

I can't sympathize with this at all. I just can't.

[grey-area]

It sounds like it wasn't launched yet. The founders say they built it for themselves and their friends to start. Someone discovered the URL and posted it to Hacker News.

It should not have been on the public internet without access control for editing/viewing personal information like this - as soon as a site is visible on the internet there are bots trying all conceivable urls on it and scraping for information. If you look in your logs for any server you'll find all sorts of php,aspx etc urls as bots try to find vulnerabilities, no matter what you're running. I'm sure there'll be some Rails scrapers out there too though perhaps they're not too common yet.

There are probably a lot of other holes if they left the user security so wide open.

[matthewowen]

I don't get this. Ensuring that users can't edit/access the profiles of other users is trivial in most frameworks.

It shouldn't be something that slips through testing. If you aren't doing that from the start, something is seriously wrong with how you're building out your application.