Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API

From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
1 - jail
2 - no
3 - yes*
4 - yes*
* if you're a security expert stick to 3
If not, try 3 -
@devTea unfortunately that's true. Read some articles about white-hats in Russia reporting an exploit and being jailed.
(I know, Russia and white-hats. Sounds not credible) -
You folks will end up in jail as examples.
You can look around for potential breaches but for fuck sake stop exploiting it... Don't be a fool thinking they'll greet you with « hey nice job bruh, enjoy our service is free foreva' ».
It's a bad time for dicking around.
Come into the field if you like pentesting. -
Wolle9124ycreate a new throw away E-mail address. Tell the m about the bug. Forget about it. Maybe take another free meal as "compensation".
-
Nanos121694yReminds me years ago when a company did a promotion, buy one get one free on microwave meals.
Only the free coupon was on the cardboard packet..
So, buy one.
Remove coupon.
Get next free.
Remove coupon.
Get next free.
Repeat until supermarkets ban you..
6 months supply of food later.
I guess not the same kind of thing, but kinda..
In the past I've emailed / etc. and sometimes they don't take any notice and then everyone and their dog is exploiting the loophole for years !
At least you can rest easy that ethically you did the right thing.
Just be careful trying to help, as sometimes it can backfire ! -
Ederbit7604ySend them a anonymous email with the bug details, a demonstration, and instructions on how to donate with bitcoin
-
I've scammed a whole bunch of burritos out of one app. It seems to give me more reward points each time (as if I'd bought one) instead of taking them away (spending on the free one). I didn't do anything to hack it, and it's survived a change of phone, but it hasn't worked for colleagues.
-
spacem18764yI suggest #2. What you are doing is still theft. Would you take food without paying in a restaurant?
-
Condor342844yDepends on the company. If they have a bug hunter program, by all means report it and give them their 3 month nondisclosure time. If not, I've found from experience that some companies tend to get way too much up their own ass about these things and try to sue you even if you do the whole disclosure right, with the best intentions. Ass-coverage of incompetence and so forth. It's what required me to drop out of school. Nowadays I'd first ask them about how they deal with security vulnerability reports and make them sign a contract stating no legal action will be taken as long as industry standards are abided by. The competent ones might sign it, giving you the ass-coverage from them you need. Then privately report.
In general though, assume that most companies - especially the small ones - are beyond hope in this regard... -
Nanos121694y@Condor
I'd add governments to the list of 'beyond hope' in this regard too..
And perhaps charities..
(I remember reading once of a particular charity where only 2% of money donated actually reached the people they was supposed to be helping..) -
Condor342844y@Nanos banks too. I've heard a fair few stories in which they love using their lawyers instead of getting some proper security folks on their legacy crapware.
-
Nanos121694y@Condor
I'm reminded of someone I knew telling us how folk used to steal millions from banks by walking out of the front door with items they'd stolen from the safe when no one was looking !
Reminds me of the time I brought some 300+ ex library books, but not once did security ever ask me if I'd paid for them as I went back and forth to the library loaded up with dozens at a time ! -
Condor342844y@Nanos Haha, libraries, yeah. I had a few occasions in which I forgot to bring back a book, saw it getting expired.. and nothing happened. Makes you wonder just how much that "registration before lending" is really worth... Heck, even without all of that crap, if you're not a member, just take a book and put it in your backpack, you could easily get away with that.. incredible how they even still have books at all. The moral compass of people that visit libraries is far stronger than libaries' security I guess.
-
I know a guy who got fined for thousands of euros for typing "someurl.com/../". It was a charity website that didn't display a thank you page when he donated some money. Got him interested, thought it was a scam, tried some easy pentest stuff (like typing /../). Didn't work out. Four days later he was arrested. Judge literally apoligized for giving him a fine as there was absolutely no malicious intent, but he technically was trying to hack a system and that's illegal.
TL;DR - Never hack any system unless you've got explicit, written constent by the party you're trying to hack. It doesn't matter how easy it is. Never ever do it.
In this case, cover your tracks and go for option 4 from an anonymous email account.
Related Rants
I found a vulnerability in a food delivery app api that allows me to add credit to my account. I ate my first free meal today but i feel bad about it. What should i do 😞.
1- continue hacking free credit and eating free food.
2- stop and forget i found this bug
3- report the bug in exchange for money/credit
4- report the bug for free
question
vulnerability
bug
free
ethics
api
guilt
food