top | item 47097670

(no title)

Hey TFA, other people have gone to prison for finding monotonic user/account IDs and _testing_ their hunch to see if it's true. See, doing that puts you at great risk of violating the CFAA. Basically, the moment you knew they were allocating account IDs monotonically and with a default password was the moment you had a vulnerability that you could report without fear of prosecution, but the moment you tested that vulnerability is the moment you may have broken the law.

Writing about it is essentially confessing. You need a lawyer, and a good one. And you need to read about these things.

discuss

phyrog|9 days ago

The blog is under a German domain, the company is from Malta. Why would they care about a US law again?

UqWBcuFx6NV4r|9 days ago

Because Americans can never comprehend of literally anywhere on earth existing. Genuinely if any other place on earth tried this crap…the Americans would lose their minds.

kyusan0|9 days ago

IANAL but the law in Germany is basically the same in this case, accessing data that's meant to be protected and not intended for you is is illegal. It depends somewhat on the interpretation of what "specifically protected" ("besonders gesichert") means. https://www.gesetze-im-internet.de/stgb/__202a.html

bgnn|9 days ago

What is CFAA? I couldn't find anything about it in EU or Malta. Is it something in India or China? Or Japan? Hmm, maybe I'm missing another country.. Australia?

ddtaylor|9 days ago

Computer Fraud and Abuse Act

dented42|9 days ago

That feels fundamentally broken. How can you expect an organisation to respond appropriately if you don’t provide them any kind of proof?

Faark|9 days ago

He had enough proof, his own students, who assumingly agreed. And in case the company still pretends there is no problem you could still crawl their entire user base...

ddtaylor|9 days ago

> Basically, the moment you knew they were allocating account IDs monotonically and with a default password was the moment you had a vulnerability that you could report without fear of prosecution

That logic is garbage and assumes there is some arbitrary point at which a user should magically know the difference between a few IDs happening to be near each other versus a system wide problem. The law would use the interpretations of "knowingly", "intent" and in this case "reasonable".

bdavbdav|9 days ago

Would a better course of action here have been for him to generate a “test test” account under his?

Alive-in-2025|9 days ago

they you could kick him out of the org for "creating a bogus account" - "our company isn't bad, you're the bad actor". The bad company he was try get to fix their thing didn't behave properly, end of story.

This happens over and over again because for so many companies their natural thing is to hid any problem and threaten to sue anyone who discloses. Software problems have broken that typical behavior, to some extent.

I salute the author of this post who dared to do the right thing. I hope the company comes to their senses and doesn't try to punish the diving instructor. Over and over companies have tried this same "attack the problem reporter" strategy when software problems are revealed.

unknown|8 days ago

[deleted]

unknown|9 days ago

[deleted]

itake|9 days ago

I find it interesting how American-accented people publish on social media how to access non-linked FBI files related to the Epstein leak, by updating a URL.

krater23|9 days ago

I think the right way would be to sell this shit on darknet and then anonymously reveail the bug to the public.

ascendantlogic|8 days ago

I forgot that US law applies everywhere.