undefined | Better HN

0 pointsmr-wendel4y ago0 comments

I would like to highlight the parent post's comment about attempting to contact the people whose work you are exposing vulnerabilities in.

I have to say that if this is "showing your work" then the most important thing you've shown is poor judgement in publishing their secrets in a submission to a very popular website. The fact that they have followed such shockingly bad security practices themselves is absolutely no excuse.

The work I wish we saw was the valiant effort you made to contact the company and help them see their mistakes. That is an area where we can all use more good examples, even if only to show how difficult it is to get something so obviously problematic taken seriously.

I'm certain you mean no ill will, but the lack of consideration here is concerning.

[EDIT] As per the posters comments, the keys included weren't the real ones. I still think the point stands: they are trivial to obtain when you know they are included in the package so their exclusion only means so much.

0 comments

9 comments · 2 top-level

deadf00d4y ago· 3 in thread

There is no vulnerability here. Secrets has been anonymised, tokens and secrets provided are not the real ones. I'll follow your advice and update the article once I have an answer from the company.

mr-wendelOP4y ago

> ... and update the article once I have an answer from the company

I look forward to the update and will be very curious to see how that goes. Best of luck!

[EDIT] Also I think it worth adding one more thing. I think the poster has demonstrated an openness to feedback that is wonderful. Coming back to the keyboard to read "let me give that a try; I'll update things" is really cool.

dncornholio4y ago

> Secrets has been anonymised

After or before posting it to the internet?

deadf00d4y ago

Before.

I'm not that crazy.

1 more reply

noasaservice4y ago· 4 in thread

This is an 0day public disclosure. The company affected should THANK this person for not selling the exploit on the dark web and making bank.

And this goes back to the whole "responsible vulnerability disclosure". The damned white hats want to demonize anybody not reaching out to some opaque company and being told it might be fixed in 90-360 days.

0Days are JUST AS responsible as other types of disclosure. You owe them nothing, and they owe you nothing. And you're publishing info to everyone. Information symmetry.

mr-wendelOP4y ago

I can't disagree more. They should thank him if he actually reached out to help, even if only to say "look how bad this is; you're easy pwnbait, kthxbye". Based on this article we don't even know if they are opaque (or worse, belligerent).

I've tried to be as careful as possible in my wording to avoid demonizing the poster. I still see absolutely nothing indicating maliciousness or ill intent and I would just as strongly disagree with anyone trying to do that. My apologies if I have come across as being hateful in any way.

I prefer to champion a web that goes back to a "hacker" culture I learned from in my youth that predates Internet culture: we believe DO owe each other something, somewhere in the positive gradient: basic decency, an assumption that we're all worthy of respect (unless proven otherwise), and that you never try to "score points" at the expense of someone else.

But that is just what I believe and what my preferences are. Certainly "do no harm" is the rock bottom line.

orf4y ago

You don’t owe companies that don’t invest in security anything. This whole comment smells of upmost naïvete.

It’s a for-profit company without a bug bounty program, in no way whatsoever should they expect someone to work for free to fix issues they created.

The keys are public, they made them public. Do you expect that there are not automated systems trawling apps from the g-play store and doing what he’s doing?

3 more replies

gigaflop4y ago

If I leave my door unlocked by accident, and someone leave a note to tell me so, I'm shocked, but happy that I can lock my door and fix the problem.

If I accidentally leave my door unlocked, and someone comes in and steals my TV, I'd be upset. I made an honest mistake, and had to pay for it when I wasn't expecting to.

If ..., and someone makes a blog post to tell the world that my door is unlocked, my dwelling may be in a permanent state of disrepair by the time I notice. I'd be incredibly unhappy.

Mischief doesn't need to cause misery.

deadf00d4y ago

Yeah, that's what I think too.

j / k navigate · click thread line to collapse

0 comments

9 comments · 2 top-level

deadf00d4y ago· 3 in thread

There is no vulnerability here. Secrets has been anonymised, tokens and secrets provided are not the real ones. I'll follow your advice and update the article once I have an answer from the company.

mr-wendelOP4y ago

> ... and update the article once I have an answer from the company

I look forward to the update and will be very curious to see how that goes. Best of luck!

dncornholio4y ago

> Secrets has been anonymised

After or before posting it to the internet?

deadf00d4y ago

Before.

I'm not that crazy.

1 more reply

noasaservice4y ago· 4 in thread

This is an 0day public disclosure. The company affected should THANK this person for not selling the exploit on the dark web and making bank.

0Days are JUST AS responsible as other types of disclosure. You owe them nothing, and they owe you nothing. And you're publishing info to everyone. Information symmetry.

mr-wendelOP4y ago

But that is just what I believe and what my preferences are. Certainly "do no harm" is the rock bottom line.

orf4y ago

You don’t owe companies that don’t invest in security anything. This whole comment smells of upmost naïvete.

It’s a for-profit company without a bug bounty program, in no way whatsoever should they expect someone to work for free to fix issues they created.

The keys are public, they made them public. Do you expect that there are not automated systems trawling apps from the g-play store and doing what he’s doing?

3 more replies

gigaflop4y ago

If I leave my door unlocked by accident, and someone leave a note to tell me so, I'm shocked, but happy that I can lock my door and fix the problem.

If I accidentally leave my door unlocked, and someone comes in and steals my TV, I'd be upset. I made an honest mistake, and had to pay for it when I wasn't expecting to.

If ..., and someone makes a blog post to tell the world that my door is unlocked, my dwelling may be in a permanent state of disrepair by the time I notice. I'd be incredibly unhappy.

Mischief doesn't need to cause misery.

deadf00d4y ago

Yeah, that's what I think too.

j / k navigate · click thread line to collapse