Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
If you obtained the information and can produce a repro without any sort of hacking or privileged access, there shouldnt be an issue.
If they don't have a bug bounty program, there's no guarantee you'll get money out of them though.
@SortOfTested Basically, there's a sequential numerical ID, and you can replace your ID in the URL with your ID - 1 and get someone else's data.
I don't want to tell them unless I get something from them. Not money, but a virtual good (think vbucks, but not). I use this service.
@SortOfTested The service I want would cost them nothing (not even in lost profits - I didn't plan on buying it) and even if I took it out of my own pocket it would only cost about $100
For as many as 17k records of user data (My ID was 17,000-something) I think they may be interested?
@AlgoRythm your right, you don't have an obligation to tell them and they don't have an obligation to "reward" you if you do.
But, extracting said data and using it against them or publishing publicly, that's usually where the line gets drawn on legalities.
However, if said data is exposing private information about users, and I'm assuming your a user too?
wouldn't you prefer it plugged since it's also your data open to the world.
Chances are you're not the first to stumble on that mishap.
@C0D4 The data that the leak exposes has already been leaked for me. No password information.
000webhost leaked my email and name AND PLAINTEXT PASSWORD many years ago. Now my data is worthless!
So these guys can suck a cock if they won't award me
EDIT: AND TO BE SUPER CLEAR, I'm not collecting or selling this user data, ever.
There's no way to be sure until you tell them.
Most companies don't have big bounties and "Give me something and I'll tell you something is usually not a great way to start such a conversation."
Even companies with bug bounties ... you never know.
@AlgoRythm wait what!?!
you use the same email and password as you did back then, to this day?
I think that's where your problem may be in general.
Password reuse is beyond a no no these days.
There are sites that make that data publicly available despite the legalities of it - not talking about "haveibeenpwned"
Your data is only as worthless as you make it, reusing passwords is a sure fine way to reduce its worth and potentially open you up to identify fraud.
@C0D4 No, the password is different, the email is the same.
I mean, this potential leak has the email that the 5+ year old leak already exposed, so I don't care if it is leaked. It's already out there. I get spam emails daily.
As for protecting others, fuck it. At least for now. Maybe in a week my guilt will get to me
@AlgoRythm my emails as been around the block numerous times.
Setup spam rules and add 2/MFA and away you go again, if another breach occurs, it's only 1 of your accounts and not all of them.
Back to your issue though, not every internet user is smart enough or has the brain cells required to not reuse their passwords, so you'd be doing a public service with / without a reward.
@M1sf3t Yeah, I think that last sentence is key.
I am pretty sure they already had an even bigger leak.
F1973485949dSo a friend who is a security tester often finds such stuff.
He reports, they fix it. And everything over.
When he demands any compensation, at max they give him a certificate.
I don't know what to do but definitely don't go the straight way.
First let them know you have found something with evidence which they cannot track.
Get it on email that they'll pay you.
Show them the loophole.
Oktokolo95249dIt isn't illegal to sell information about bugs.
But that doesn't matter, if your diplomacy level isn't high enough to make your offer not sound like an extortion.
The risk of getting sued far outweights the possible reward of a meager 100 bucks.
So either sell to a broker,
sell to them anonymously for cryptocurrency (make sure to get your opsec right),
just tell them for free,
tell someone else for free,
or keep the 0day for yourself.
ltlian187049dI've heard a few stories like this with unfortunate outcomes. Worst case is that the company treats it like a hack on their unhackable system - either to save face or they simply don't know the difference between "leaving the keys in the door" and a break-in.
There was a thing here in Norway a couple years ago where a student alerted his school about a security hole (user information was publicly accessible if you just knew the path), and after it was ignored he exploited it as a means to alert the owners which got him reported to the police. The whole thing was treated as if he caused a leak.
Not sure if there's any english articles out there but just for reference: https://vg.no/nyheter/innenriks/...
He shouldn't have exploited it, but I feel I see this a lot. People will jump at any chance to defer blame.
Hazarth147949dNot using an UUID for user profiles these days is a sin.
But in general, they didn't hire you to do a security audit, so they don't have to pay you anything at all. Theres no contractual need to give you anything or even listen to you, what's more, they might argue that you found the hole because you were looking for it and that you had bad intentions and even sue you.
Most wont go that far from what I hear, and often they give rewards if they are a good sport, but you can't call it "working for free". That's not what happened. You found it on your own time out of your own iniciative and That's all
You're prolly better off keeping it to yourself and forgetting about it. Or try mailing them from an anonymous account and just explain the situation and wait for a response. But definitely don't try to "if else" them, that's essentially blackmail.
Sounds like this:
"I have porn of you, and i'll delete it if you pay me, but don't worry, I'll keep it to myself if not"
arnyek58848dIn Hungary, some guy reported a similar bug to a governmental company. He didn't want to do anything, just thought he could report. They called him a hacker, and he got a financial penalty and almost also prison sentence.
theabbie55327dDropping a comment here cuz this Rant might last long
wrkuijpers82Me: *Watching a movie* Main Character: "Oh no, we have to hack the CIA to figure out how this machine works! ...
molynerd14Writing some code on a flight "ARE YOU HACKING?!?!" "Ugh... Well yeah but not in the way you're thinking" "Om...
harshitks10Hacking is like sex. You get in, you get out, and hope that you didn’t leave something that can be traced ba...