New ask Hacker News story: Ask HN: How to handle responsible disclosure when a company ignores you
Ask HN: How to handle responsible disclosure when a company ignores you
2 by flutas | 1 comments on Hacker News.
Recently I discovered an urgent issue on a website I frequent. This issue is leaking so much user data through a websocket that it's not even funny and requires zero action (aside from loading the site) to get. Data being leaked includes email addresses, geolocations, private photo (read: nudes) URLs, bcrypted (thankfully at least) passwords and salts, password reset / account activation codes, user agents, IP, fingerprint hashes, staff notes about the accounts and even reports (including reason, text submitted by the reporter, and the reporter itself). I've tried multiple ways of contacting the company, as the data could seriously harm users and lead to them being stalked/blackmailed but they have given no response whatsoever. Tried to mention/message them on social media, did an email blast with guesses at their CEOs email (didn't bounce back like security@ did), and as a last resort their CS line. Even their CS simply closed the ticket without even a response, so I'm at a loss on how to proceed. I've considered going to someone like Krebs, but I'm extremely hesitant to simply because of what could happen if this gets out without being patched.
2 by flutas | 1 comments on Hacker News.
Recently I discovered an urgent issue on a website I frequent. This issue is leaking so much user data through a websocket that it's not even funny and requires zero action (aside from loading the site) to get. Data being leaked includes email addresses, geolocations, private photo (read: nudes) URLs, bcrypted (thankfully at least) passwords and salts, password reset / account activation codes, user agents, IP, fingerprint hashes, staff notes about the accounts and even reports (including reason, text submitted by the reporter, and the reporter itself). I've tried multiple ways of contacting the company, as the data could seriously harm users and lead to them being stalked/blackmailed but they have given no response whatsoever. Tried to mention/message them on social media, did an email blast with guesses at their CEOs email (didn't bounce back like security@ did), and as a last resort their CS line. Even their CS simply closed the ticket without even a response, so I'm at a loss on how to proceed. I've considered going to someone like Krebs, but I'm extremely hesitant to simply because of what could happen if this gets out without being patched.
Comments
Post a Comment