Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
1) Not sure what country you’re in but chances are you just admitted in writing to committing a fairly serious crime.
2) don’t get me wrong I understand the intention, worked in cyber security until recently (developed software for red team use). Just probably don’t download confidential medical records and then put that in writing to make a point. I’ve seen a lot of sad stories that started that way. There are other ways to go about expressing concern
3) please please don’t publicly leak a vulnerability that allows people to easily access private medical records. I know a lot of that software is old and broken and doesn’t require much knowledge to exploit, but no need to tell even more people how to do it. There are much safer ways to pressure a company to fix their shit
Stay safe and ethical out there friend ❤️ -
galena71924yBe careful about this cause if someone else exploits this, you might be on the hook for it. Seen a similar situation in an op-sec ted talk.
-
mirzoz3764y@demoralizeddev Thanks, and thank you people. I wrote to the clinic again. They told me that they contacted their outside provider to fix the error. They told me not to worry because they were working on it but couldn't shutdown the app 'cause a thousands of results they have to deliver in this pandemic. Which is understandable. They thanked me and gave me the anemia treatment (which came up on the test as a diagnosis) for free.
-
bols597794yMay I add the advice that you carpet bomb all the big names, never just one or two. You could conceivably be saving a life.
-
@mirzoz that's great to hear! I'm glad they gave you a solid reason and didn't just cast you to the wind.
Related Rants
A month ago I had some medical tests, the next morning, the clinic's send a email with my results. Oh surprise, unbelievable security flaws. They sent me a link without any kind of authentication, token, or security. I looked at my results, and by entering consecutive and random numbers I was able to download a lot of results and folders of other patients. I wrote an email to the clinic informing them of this situation and their response was "Thank you". Today I have accessed the link and the error is still present. I am going to notify higher health authorities.
rant