Comment by Ekaros
5 hours ago
They vibe coded their system and it showed Adafruit something? Or showed some information with trivial prodding? Sounds like your average cross-tenant leak. Maybe showing more than intended or some caching issue. Many options some not really not fault of Adafruit.
Or someone found server.domain/path/subdirectory/resourceX and was like "shit, I was hoping to find resourceY but I can't find a link to it, I wonder if I just click in my address bar and change the X to a Y", and voila, resourceY is right there.
To some of us, this is elementary navigation. Like going up the stairs if the elevator is out. Often it's faster than waiting for the damn elevator, too.
To others, it's cybarrrr-criiiimeeee!!!!!!11111one
People have already been imprisoned for this, one case I can think of off the top of my head is https://en.wikipedia.org/wiki/Goatse_Security#AT&T/iPad_emai....
Continental Airlines had an active frequent flyer community. A student emerged as a legendary figure (think "Hunger Games") after she noticed that Continental announcement URLs were numbered sequentially, and a not-yet-released announcement rather unfavorable to current elites was there for anyone to read. Quite the brew-ha-ha. Continental retreated.
She was nevertheless welcome at a frequent flyer event hosted by Continental in Houston, where she beat me at poker.
I don't know the details of the case, but what they worded there is a textbook unauthorized intrusion and a naïve teenager "the door was open" defense.
Mind you there can be nuances, but that quote is like saying "I took their stuff, but it was poking out of their pocket."
I think people have a heightened reaction to threats based on the CFAA for "the door was open" circumstances because that law is so widely known for being used in threats against folks who were trying to ethically report things and in overly-aggressive prosecutions.
Of course, we don't yet know the specifics of this particular case, but I'm willing to lean towards the people receiving legal letters threatening CFAA action until there's more information.
No, it's more like "the door was open" in the context of a storefront. A public website carries an implicit invitation to visit, otherwise web browsing would be illegal.
It is bit grey area. You are evaluating something. Do some basic checks. Actually end up seeing something you should not. You stop and tell them to fix it. They then silence you.
Now it is bit questionable should you check things like this during evaluation or not. Strict legal reading probably not. With reasonable customer relations you thank them and put it on top of the priority list. Unless they clearly enumerated everything they got their hands on or tried to run more real scans.