Hacker News new | ask | show | jobs
by clobec 4181 days ago
I still don't see why he had to do this?

He has plenty of time to inform the ICO of this issue. He contacted moonpig then let the sit on this for a year.

If he wants to be a disclosure hero, he could have at least told the ICO at the same time he told moonpig.

The issue is 100% Moonpigs fault but he chose to disclose publicly rather than use the legal route set up to deal with these kinds of issues.

The whole responsible disclosure scene needs a reboot and people need educating on the responsible way to deal with these issues. Public disclosure should be a last resort (within reason). Not even contacting the ICO before doing this is shocking to me.
1 comments
eth0izzle 4181 days ago
OP here and I agree with you. The ICO genuinely didn't even cross my mind and in hindsight I probably should of gone via that channel before publicly disclosing. Are there any set procedures to follow for this sort of thing?
link
penguat 4181 days ago
Another minor consideration - here in the UK this was posted at 10PM - not exactly a friendly hour. It would have been nice to schedule the post for a time when UK businesses expect to operate. I don't expect they would have thanked you for it in any case, but they would probably have had both a better response time and a better organised response
link
Nexxxeh 4181 days ago
They had 17 months, and their Twitter account was still posting at 9pm this evening.

If they gave two shits about our data (and it might include mine, it definitely includes my mum's), or if they were capable of a sensible helpful coherent response, they'd have done it 16.5 months ago.

link
Nexxxeh 4181 days ago
In reply to the child post (of my other comment), because I can't do so directly due to nesting limited:

>Have you read any of the above?

>It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.

I had, at the time of writing my post, read all the comments on this story. I was commenting specifically on the parent's point about what time of day the story of was posted. I don't disagree with you re: ICO.

However I don't think it's fair to characterize the disclosure as irresponsible. The fault lies with the vendor for not patching. Publicizing guy followed industry standard practices for responsible disclosure. Vendor is just fucking useless.

I'm unhappy, as I'm sure it'll cause an increase in spam and possibly spearphishing to my mum, which I will subsequently have to deal with. Yey. But that's Moonpig's fault.

Edit: And in response to the response to the response...

>Why are you saying the fault lies with the vendor? Do you think nobody knows that? Do you think that's not obvious? Do you think that's what I was commenting about?

Because it does. No, I think everyone knows that, however it was relevant to the rest of the paragraph. I don't think that was what your child post was about, however I didn't want to make ANOTHER post to voice my opinion.

>There's a difference between reading and comprehension.

I read AND UNDERSTOOD the comments, I was of course referring to your rhetorical question implying that I hadn't even read them. Apparently you didn't comprehend that?

link
clobec 4181 days ago
Why are you saying the fault lies with the vendor? Do you think nobody knows that? Do you think that's not obvious? Do you think that's what I was commenting about?

There's a difference between reading and comprehension.

link
penguat 4181 days ago
yes, quite clear that they didn't give it the priority it warranted (aka giving a shit) - just wanted to point out that there was a friendlier option timing wise. For my money, I'd have seen this disclosed 11 months ago - it's a serious vulnerability to the extent that I'm glad I've never used moonpig.com - but I'd have seen it disclosed in the UK daytime when the company was awake to be able to shut down its API. There's even an argument to be had that waiting as long as this is a little irresponsible - although that's covered to some extent by following up.

I don't know if it's legal to give advance warning of public disclosure - that could easily become a minefield as it might be interpreted as a threat, and linking it to a request to fix could seem coercive.

link
clobec 4181 days ago
Have you read any of the above?

It's clear they didn't care, that's why I'm saying the ICO should have been informed. That would force them to give a shit.

link
peteretep 4181 days ago
https://ico.org.uk/concerns/handling/
link