Email or username:

Password:

Forgot your password?
Top-level
Tamas K Lengyel

@WPalant @thisismissem Intent and damages should absolutely matter. But it's also common sense not to use the hardcoded credentials to login and dump the database. Or if you do, why report that you did? Perfectly sufficient to just say you found the hardcoded credentials and stop there.. Bad practice on both sides.

11 comments
Yellow Flag

@tklengyel @thisismissem Where did you read that he dumped the database? My understanding is that he connected to the database in the assumption that it was specific to his client, then disconnected and reported the issue immediately after realizing that it contained data on other customers as well.

Tamas K Lengyel

@WPalant @thisismissem Just connecting to the db won't show you what data is in it to determine it's not just your data. So he must have dumped it or at the least queried it sufficiently deeply to make that call.

Beady Belle Fanchannel

@tklengyel @WPalant @thisismissem Just connect to it with a GUI tool like dbeaver (like devs are likely to do), it will show you the schema of tables.
There will be columns like “clientName” or similar, and then doing a few very simple selects will tell you whether you have access to other people’s data.

Beady Belle Fanchannel

@tklengyel @WPalant @thisismissem Mixing customer data like that and giving full access to the database with the given user credentials is criminal neglect and should cost the company dearly. Not the person who figured it out.

Yellow Flag

@Profpatsch @tklengyel @thisismissem According to nitter.net/der_sofc/status/174 he connected with phpMyAdmin. While I haven’t used that tool in decades, that would presumably also expose the database schema immediately.

DELETED

@tklengyel @WPalant @thisismissem I hate this thread. Also responsible disclosure is a thing and should be protected under law. Vendors doing something stupid than pressing charges is incompetence and should be audited by a gov agency.

This thread and this case is why people don't bother reporting anything they find without malicious intent and just watch the company shoot themselves in the foot.

Tamas K Lengyel

@alex_02 @WPalant @thisismissem I agree, but the reality is that you are better off just ditching that vendor if they won't fix the issue. Then why not publish the issue anonymously? If you aren't going for a bug bounty what is there is to gain by attaching your name to it?

DELETED

@tklengyel @WPalant @thisismissem why does disclosing a security issue require to be a bug bounty or publishing it anonymously? Treating hackers and researchers like terrorists is just making things worse and why threats like ransomware gangs have such an easy walk in the park with breaking into networks.

Clover :neocat_3c:

@tklengyel so your proposal is that when someone finds a severe security issue they should just stop using the service themselves then anonymously publish it publicly?

I suppose that is one way of doing things “fuck every company that won’t pay me for finding an issue”.

Though, overall, this would result in more vulnerabilities being exploited instead of fixed before they are exploited by bad actors

@alex_02 @WPalant @thisismissem

DELETED

@tklengyel @alex_02 @WPalant @thisismissem I'm trying to figure out if Tamas is just being disengenuous, or worse. If I were to find a bug in a product from your company (Intel?!), would y'all prefer that I
a) Blast it off into the aether and yolo off into the sunset while bad actors begin exploiting it?
b) Blast it off to what's likely a b0rked 'security@' e-mail address to be seen when the sun rises from the west?
c) Inform you of the problem in a way you can come back with questions?

Tamas K Lengyel

@frainfostudent @alex_02 @WPalant @thisismissem I'm just saying that if a vendor has no defined security reporting policy and/or an active bug bounty don't be surprised if they will be a bad actor in other ways as well. It's a risk at that point, why take it?

Go Up