Comment by DANmode
3 days ago
> You don't need to retrieve other people's data to demonstrate the vulnerability.
If you’re reporting to a nontechnical team…which sometimes you are…sometimes you do?
3 days ago
> You don't need to retrieve other people's data to demonstrate the vulnerability.
If you’re reporting to a nontechnical team…which sometimes you are…sometimes you do?
If the nontechnical team is refusing to forward it to whoever maintains the system, they apparently see no problem and you could disclose it to a journalist or the public. Or you could try it via the national CERT route, have them talk to this organization and tell them it's real. In some cases you could send a proof of concept exploit that you say you haven't run, but they can, to verify the bug. You can choose to retrieve only your own record, or that of someone who gave consent. You can ask the organization "since you think the vulnerability is not real, do you mind if I retrieve 1 record for the sole purpose of sending you this data and prove it is real?"
In jurisdictions like the one I'm most familiar with, it's official national policy not to prosecute when you did the minimum necessary. In a case where you're otherwise stuck, it's entirely reasonable to retrieve 1 record for the sake of a screenshot and preventing a bigger data leak. You could also consider doctoring a screenshot based on your own data. By the time they figured out the screenshot was fake, it landed on a technical person's desk who saw that the vulnerability is real
Lots of steps to go until it's necessary to dump the database as OP did, but I'll agree it can sometimes (never happened to me) be necessary to access at least one other person's data, and more frequently that it will happen by accident
Absolutely not. That's not your concern nor your problem.
They're perfectly capable of hiring incident response experts, and companies commonly have cyber insurance that'll pay for it.
"Demonstrating" is dumb and means you turn an ordinary disclosure into personal liability for you.
Blabbing about it on the internet is just the idiot cherry on the stupid cake.
If your goal is to successfully report and resolve, it is your problem.
Agree otherwise.
In the stories I’ve carefully read, no proof means being ignored by frontline people who are all you can reach,
turning an ordinary disclosure into no disclosure at all.
That's still not your concern or your problem. You're not internet Batman. Opening up yourself to criminal liability for someone else's site is insane.
4 replies →
If you flip it, we have a dude here admitting to breaching a large number of accounts and gaining access to PII -- including PII about minors.
Are we and the Maltese government just going to trust this guy and assume he has actually deleted everything, with no investigation?
If his goal was to keep the data he wouldn't have reported it?
That doesnt necessarily track. He could have stolen the data, then reported it to clear his own name. He did access more data than he needed to prove that there is a likely breach.
1 reply →
How will you ensure the other people who were exploiting the hole have deleted their copies?
What a weird way to think about this.
Is it? if 10 people may have committed a crime, should we exonerate 1 of them because he reported it and promises he didnt do anything?
1 reply →