qnleigh
an hour ago
> I would have thought about privately disclosing these findings to Dotpe. But all the API requests are right there in plain sight...
There are pretty common ethical standards about disclosing vulnerabilities privately before disclosing them publicly. I don't see how the obviousness of the vulnerability changes the situation. By warning the company, you give them the opportunity to remedy the problem before announcing to the world that anyone with a laptop can exploit it. Probably they were just hoping that nobody would notice, which is stupid of course, but now they don't have the chance to build up a better wall before the flood of fake orders that could cause real harm to the small businesses whose financial information you disclosed online.
Perhaps I'm being too optimistic about how the company would respond, but I still think it's hard to justify not doing a private disclosure.
mainframed
29 minutes ago
Adding to this, in some countries he is already past the gray-area to what constitutes as computer fraud.
Pissing off the company, whose systems you accessed without authorization, is one way of getting to experience the full force of the justice system.
moralestapia
2 minutes ago
Curious.
How is this, specifically, fraud?
tomalaci
19 minutes ago
In this case? Nope. This must be treated as willful design decision to open up API to entire public (including PII/phone-number leak as per design), even if they say they totally didn't meant that to happen. Government itself should then be notified to go after these guys for failing to do the most basic access controls.
I mean, come on! To treat this as a proper security vulnerability just gives too much leeway for these fast-and-loose businesses/systems. It will just encourage more such crap to proliferate.
I am with the author on this one, I am fairly certain the issue of this was raised internally already, probably multiple times. Fortunately for the business, their management did the right decision - focus on quick and easy features, security is a non-issue, we will just blame the hackers and have legal channels deal with them. I mean, you even have people here berating someone uncovering gross negligence for Google-backed company. Why would businesses bother with basic security when they can play the victim so damn easy?
krsdcbl
6 minutes ago
Fully agree with you!
The API being unauthd is clearly a core design choice, and finding out any customer or service data is openly accessible with consecutive numbers through that API is not a zero day or something.
There is no "responsible disclosure" to be made here, going to the company and explaining what's the issue with all of this amounts to "handing out free consulting" if anything
thinkingemote
5 minutes ago
Just because someone or something is unethical doesn't mean we are allowed to be unethical as a response.