WingNews logo WingNews
top | item 41623905

(no title)

tomalaci | 1 year ago

In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.

I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.

I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?

discuss

order

mpeg|1 year ago

Author is in India, I would be very careful because it's much more likely the government will prosecute them for unauthorised access and irresponsible disclosure than do anything to the company.

Truth is even in the west this kind of irresponsible disclosure could land you in jail, much more so in a developing country where these laws are all relatively new.

krsdcbl|1 year ago

Fully agree with you!

The API being unauthd is clearly a core design choice, and finding out any customer or service data is openly accessible with consecutive numbers through that API is not a zero day or something.

There is no "responsible disclosure" to be made here, going to the company and explaining what's the issue with all of this amounts to "handing out free consulting" if anything

mpeg|1 year ago

Unfortunately that is not how the law works, at least in most countries. As soon as you enumerate ids regardless of whether there is any security in place it is unauthorised access and it's illegal.

tsimionescu|1 year ago

There are exactly two activities you can be participating in if you are exploring someone else's undocumented API: (1) free consulting, or (2) illegal hacking. Disclosing vulnerabilities you found in someone else's product, regardless of how obvious, is free consulting. If you're not responsibly disclosing them, then you were illegally hacking their systems.

thinkingemote|1 year ago

Just because someone or something is unethical doesn't mean we should be unethical as a response.

We shouldn't limit ourselves to only be responsible and disclose properly when the vulnerability suits us.

That is both unfair and irrational.