252
Pavona
69d

I just got fired for the first time. Just to preface this, I'm an 18 year old who works seasonally for a state park until I go back to college. These parks all use a software for camping reservations n whatnot. Now, I'm a bit of a fucktard at times, but I found a way of taking their entire fucking customer database of 94 million customers because they exclusively used clientside validation for their search requests & the number of records to send. Instead of just fucking exploiting it like any fucking sane person should, I opted to report it to the company. So I talk to my boss, he gives me a thumbs up, and I call them. I ring their help desk, and lead off by just requesting to speak to their immediate supervisor politely. I know plenty well that the entry level desk jockey isn't going to know what the fuck they're doing. I talk to the supervisor, tell them about the bug, and the cunt is blatantly condescending. Insisting it's a fucking feature of the software. Now here's where I fucked up. They asked me my name, and I gave them my first. They looked through users in the area and got my last. So the supervisor says he'll call me back. About an hour later they ring me, give me a number to call and a conference call pin. I ring it, and immediately it's a tribunal of four devs, a management lad, and myself. All of them having something around twenty years on my prepubescent ass. I begin by explaining what it was, how I found it, how to replicate it themselves. Never swore, never insulted them. The closest I came to it was when one of the devs kept saying that the ability to search through every customer by exploiting how their zip code search worked wasn't an issue caus you could only request a maximum of 50 records per page. To which I replied, "I don't want to be condescending or tell you how to do your job, but I just explained to you how I can retrieve more than 50 records. Basic users shouldn't be able to have access to this info." They say they have all the info they need from me and I leave the call. And that's how I lost my job. They came looking for blood. They started by ringing the states office to inform them of my insolence. State panicked, called my boss, told him I had to go. Just like that. Motherfuckers. I tried so fucking hard to do the right thing. I went out of my way to help these people, and I got fucked for it. This was my first rant worthy story, and holy fuck I'm mad. I've never been fired before. I'm a relatively ok employee. People fucking steal from this place repeatedly and they keep them. Fucks sake. I'm sitting in my car trying to get it through my head what the fuck just happened. Fuck this.

Comments
  • 56
    Damn that's sad, some people just can't handle being wrong anyways good luck my prepubescent friend.
  • 3
    @John47 thanks man.
  • 76
    - A guy found a huge security flaw in our software, what should we do?
    - Let's get him fired. What could go wrong with that?
  • 12
    you did nothing wrong, sadly this is not enough now a days.
    I'd suggest to you write this story without mentioning names on linked in, however make sure to verify every detail with some security background.
    in terms of legal terms you have done an unauthorized security testing which spells out as a malicious activity. they should have thanked you but they didn't and the ability to make tests without permissions is reserved to a specific people and organizations. especially if it's not a publicly exposed APIs
  • 10
    @maces that's the worst part. I was able to do everything within their client. I read through their EULA, as well as their code of conduct before hand. It was just heaps of bad code.
  • 28
    @Pavona read up on vulnerability disclosure policy and prepare to publish this - if they want to play nasty, so can you. They didn't listen to you as an employee and treated you like an unwanted child, let's see how they'll treat you as a proper, independent, outside entity that has discovered a security vulnerability/flaw.

    Review your employment contracts or any additional Non-disclosure acts/clauses, optionally consult with someone better versed in legal matters to avoid this backfiring when you go official on their arse.
  • 9
    @maces if he did unauthorized vulnerability and/or penetration testing, it could be cause for trouble. But from what I understand, this bug was found during regular software development and testing process while doing his job.
  • 12
    @theKarlisk I'm not even a dev. I'm literally just a seasonal worker who does basic transactional stuff like making reservations. Thankfully that means no NDA.
  • 14
    @Pavona don't go silent man whistle blow all the way.
  • 7
    @maces whistle blowing might do more harm than good - if one does it proper it's good stuff to put in your CV.
  • 5
    @theKarlisK it depends since he was using their software As is and not intended to be edited "this is my understanding" anyway i completely support him and urge him to go through the proper channels. just adding some input so he wouldn't make mistakes when he start representing him self
  • 5
    @maces here's where I'm iffy about blowing the whistle. The accounts for the software are granted with the company contact, not available to the public. Does that change anything? Aside from that, because they're government computers I run the risk of violating (I think its) US code §1030
  • 5
    @theKarlisK again man it depends on the scenario when there is public involved and the possibility is there i don't see him getting condemned for it. also to put it simply his client is clearly not data protection compliant, this alone is worth reporting.
  • 6
    @Pavona oh shit in that case get in touch with someone from the CEH community and ask for help maybe. but if it can be abused only from within the system and not publicly available service then it would be a disadvantage for you.
    dev rant is not the perfect place for help regarding that idk how shit goes on in the US but i assume there should be some sort of authority for this, be prepared get a professional official security consult and laydown your thoughts in an organized matter, in light of recent fb stuff and gdpr stuff going on there must be some interest in that
  • 3
    @Pavona also one last thing if the data exposed is available for authorized people then it might be fine, it's really complicated if it goes legal and especially if a gov office is involved
  • 19
    Call a journalist and publish the fucking story. They fired you in a way that seems pretty illegal. Or file a suit.
    This is the kind of people that deserves a kick in their already non existing nuts
  • 2
    @2lazy2debug at will employee unfortunately. They can fire me for breathing
  • 5
    @Pavona they just assume you won’t do anything because you are young. I would not let go. Maybe not a suit but a newspaper article can spotlight their incompetence and their insolence
  • 3
    I'd talk to local media and write an exploit put it on github and give that to the media too
  • 3
    @AlexDeLarge I agree to this sentiment.
  • 10
    please

    for the love of god

    sue them

    this kind of shit shouldn't be tolerated

    hurts the entire industry

    this is why hackers rape everyone

    sue their asses, get money, get press

    any editor in the world will want a story like this if you explain it just right

    then they'll get you a lawyer

    then you'll get money, while exposing bullshit

    public gets outraged, which gets exposure for press, lawmakers get wind of it

    win/win/win/win

    dont just do nothing... do something
  • 14
    I love your optimism man:
    "I just got fired for the first time"
  • 15
    You say you got fired, I say you got the opportunity to find a new job where people aren't actual morons
  • 1
    @Pavona You should publish this story on LinkedIn or somewhere public, the company who makes this software deserves some heat for this
  • 1
    Ok... Let's exploit them then
  • 2
    Well if you had not told them about it and if data got compermised then they would have blamed it on you. Now if they get hacked, they cant blamed it on you as you tried to help them out and got fired.
  • 9
    you should have tried to register bobby tables as a customer before leaving.
  • 2
    @thisDOTdevLoper I soo wish they get hacked and the shitheads, who made the call to fire this guy, get roasted for it and then get shafted for being the incompetent tarts that they are.
  • 1
    Fucking leak it
  • 5
    DROP TABLE *
  • 2
    I think you did a great job.
    Document your findings, go to a news outlet, tell your story, start your career as a security expert.
  • 1
    I would hack the shit out of their system.
    They might say that you habe a motive, yet they can't prove it.
  • 2
    @rant1ng I agree. Hurt them financially, then donate the money to a youth coding charity. Help create a generation that can actually code.
  • 3
    You did the right thing, they didn’t.

    Now you should be able to report/sue them.
  • 3
    That's why some people don't report exploits when there's no bug bounty. People in Poland got sued for damages because they reported such big bugs - but the company felt threatened. :/
  • 2
    Completely and worthlessly unacceptable. Getting fired for trying to help has the be gut wrenching
  • 1
    That's the curse of dealing with people that have no other concept of technology than fear.
  • 2
    All the best for you. Your honesty is making you special and please keep being like that. I know the company and devs who cant do their works are assholes. Its sad that if you are being honest get punished while lying politics and managers always get further.

    Have a nice day and i hope you find a better job :) With someone who has more respect for your work
  • 2
    Just tell us the name of the park so we can call and explain how they fucked up in a condesending way.
  • 0
    @masterdoctor the system is contracted Nationwide. My ex-manager didn't have much of a choice.
  • 1
    @Pavona okay tell us the name of the guys who fired you?
  • 1
    or the company if you cant say it give us a hint.
  • 2
    @masterdoctor I worked for the state. My boss got fucked for it too, can't say I wouldn't do the same thing in his position. I'm not looking to witchhunt, but you bet I'll be waiting in the tall grass should we cross paths again
  • 2
    Respect to you man for doing the right thing! Don't get dragged down, karma or some smartass user will show you knew what you were doing and were right all the time.
  • 1
    Do you have guts to fuck them back?
  • 1
    Abuse said bug, leak to local media, Grab snack and beverage and enjoy.
  • 0
    Don’t sweat it. I’ve lost pretty much every job I’ve had, never to anything like this mind, it’s always been because of declining mental health and the impact that’s then had.

    Shitty situations still.

    It’s amazing how quickly the company “culture” and “family-feel” evaporated once they decide you’re no longer a decent value proposition for them temporarily.
Your Job Suck?
Get a Better Job
Add Comment