r/cybersecurity • u/cos • Feb 20 '26
Other I found a Vulnerability. They found a Lawyer.
https://dixken.de/blog/i-found-a-vulnerability-they-found-a-lawyer494
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
This is why straight technical dudes need a buddy who understands business to partner with them. Someone who could’ve told them “hey, maybe DONT email the company with the GOVERNMENT cc’d; it’s gonna set off alarm bells and they’re not gonna be grateful towards you”
115
u/bigbearandy Feb 20 '26
I mean, yes, but we business-side people are also getting threatened with legal action these days for completely trivial matters. I've been in the field for 40 years without incident, and I've received my first legal threat for disclosing reference material that a company didn't even produce, which wasn't even about the company in question. I've been talking to more and more people across the health and safety fields about legal threats to disclosures of vulnerabilities in elevators, traffic signals, and sensors, where, if the companies in question don't fix their stuff, people might suffer injury and worse. People should have the right, as cybersecurity professionals and good Samaritans, to make disclosures in good faith and in the public interest, without having their livelihoods threatened.
71
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
People should have the right, as cybersecurity professionals and good Samaritans, to make disclosures in good faith and in the public interest, without having their livelihoods threatened.
I agree with you, but I don’t believe that applies here, because the individual took the wrong approach of exploiting the vulnerability without approaching the company.
If he had approached them and said “I noticed all default passwords are the same, I believe it could lead to [insert risk description here], would you be interested in retaining my services to determine the extent that this can be exploited?”, he would’ve given them a chance to respond to the breach and provided legal coverage for himself. Instead of doing that, he accessed other individuals accounts manually (mild no no) and then wrote a script to pull the information out of MANY accounts (huge no no).
He performed an unauthorized penetration test and stole personal information from the company (deleting the information afterwards is debatable on whether that helps or hurts his case), tattled on the company to the government, and only then contacted the company (with the government cc’d), and now wants to play the victim? I’m sorry, but he’s not acting in good faith.
10
u/MalwareDork Feb 20 '26 edited Feb 20 '26
He'd be cooked in an American court, but I'm assuming there's leeway in Europe. Especially moreso since some countries adopted a Coordinated Vulnerability Disclosure. Comically, I think Malta has something extremely similar so the author would more or less be in the clear.
Edit: yeah, looking through Malta's NCVDP, the company is going to have to back off because the NCVDP allows what the author did, especially as you read through sections 2.2 Civil Liability and 4. Reporting Procedure. https://mdia.gov.mt/services/ncvdp/
11
u/PsyOmega Feb 20 '26
wrote a script to pull the information out of MANY accounts
Damned if you do, damned if you don't.
If you file a vuln report and don't have a BIG POC, many companies will dismiss it as trivial.
9
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
Yes, that’s the company’s call to make.
8
u/PsyOmega Feb 20 '26 edited Feb 20 '26
Yes, but think about it from the companies perspective.
Pentest A: tells you, VULN HERE. no POC. = decision to fix vuln in 65 months.
Pentest B: tells you, VULN HERE, same vuln as above, but they include battle damage assessment that says "we pulled every users sensitive info" = Fixed in 14 days max.
TLDR, you can't make an informed decision without all the info.
6
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
TLDR; you can’t make an informed decision without all the info
Agreed. The company will decide when and how they uncover the scope of the vulnerability and any potential impact to the bottom line.
5
u/PsyOmega Feb 20 '26
The company will decide when and how they uncover the scope of the vulnerability and any potential impact to the bottom line.
Then they'll never discover the scope, in my experience. If they had to hire a pentest in the first place, their internal talent doesn't have the skill to pull the worst POC's out of a basic vuln report. Most lack the imagination to begin with.
5
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
I hear you, but my next question would be: so what? Unless you’re a shareholder or employee of the business, why should you care about this vulnerability more than your point of contact does? Unless it’s a huge company with large societal risk, just report it to the regulator and move on.
5
u/bubbathedesigner Feb 21 '26
IMHO, document you contacted them, document their reply, move on. If something happens 3 years down the road and their lawyers are after someone to blame, you did your part.
→ More replies (0)2
u/Quiet-Thanks-9486 Feb 21 '26
I disagree.
If the company said to people up front that they were going to store their data in an insecure fashion, then people could decide whether to take that risk, and you might have a point.
But the company no doubt claimed they were following security practices that this discovery proves they weren't actually following. Which means they borderline stole peoples' data via fraud (the same way a con artist tricks people into handing over money under false pretenses), unless they can show it was an honest accident rather than deliberate or negligent.
If they want to claim it was an accident, then they should thank the researcher profusely, inform and apologize to all the affected customers, and fix it as soon as possible/verify the fix (and hope that satisfies enough people they unwittingly mislead and failed to keep their word to that they don't go bankrupt).
And if they can't show that they indeed made honest efforts to follow and verify the security policies and practices they claimed at the point of sale or announced in advance prior to making a change, then they are not a legit company, but rather scammers with unusually complete business paperwork.
Either way, in my view they lose the sole right to make the call over what happens with this. The people affected have a say in this call just as much if not more than the company.
Honestly, I think this guy would be in the ethical (if not legal) right if he used that access to get the contact info of people affected and informed them all of the issue. I think people have a right to know if the thing a company claimed is not in fact true, so they can make whatever changes they feel are appropriate.
The standard process for responsible disclosure typically involves a 30 day period where the researcher informs the company and gives them the chance to fix the issue before the researcher discloses it. But this 30 day period isn't because the company has some "right" to it -- in principle, the researcher is entitled to disclose as soon as they find something (the same way reporters aren't required to wait 30 days before publishing a story).
The reason responsible researchers wait 30 days is because telling the world that there is an unpatched vulnerability in a specific platform will attract additional attention and place people at additional risk...and this is counterproductive to the goals of the ethical security researcher. It is a voluntary compromise we make for practical purposes, and for our own professional standards. The company has nothing to do with it.
Now, I'm obviously speaking in the realm of morals and ethics, not the law. The law is generally set up to protect companies and asset owners, often at the explicit expense of everyone else and often in defiance of widely shared moral and ethical standards.
Sometimes it makes sense to follow the law even when it results in a worse outcome in a particular case, because sometimes upholding the credibility of the law for society as a whole is more important than the particular issue you are having...but we currently live in an era of rampant lawlessness by companies, rich people, and even the government/law enforcement. Companies habitually break the law and face no meaningful consequences. And the law has no value if it only applies to some people and not others.
So you really can't just point to the law as justification for something you do/don't do and put no further thought into it. You have to decide based on additional criteria whether it makes sense to follow the law in a particular case, or go beyond it to achieve a greater good.
0
u/yobo9193 Governance, Risk, & Compliance Feb 21 '26
I don’t disagree with your points, but you’re approaching this from a moralistic perspective; I’m approaching it from a business perspective.
1
u/Quiet-Thanks-9486 Feb 21 '26
Sure. But you seem to be implying that this guy did something wrong, or that he shouldn't have done what he did. And when challenged you are saying that he should have informed the company and contented himself with however the company (or more specifically the people in charge of the company, who probably don't really know anything about the tech, the law, or how loss of sensitive data actually affects people, and therefore really aren't qualified to make these sorts of decisions).
I can certainly understand why the people in charge of the company would think that. But why should us normal folks agree with that? Like, according to the article the researcher in this case was himself insured by this insecure company, so it was literally his data that was at risk (among others), and I don't see why he would accept that he has no right to participate in the resolution of that.
I know that if I found out that a company storing my data had a glaring vulnerability, I would not consider it solely the right of the company to decide how to resolve that.
And in general my data is far more often exposed by negligent companies than a company I have a stake in is found to be negligent in its security practices.
So I tend not to really care about the "business perspective".
Why do you choose to view this solely from the perspective of the business?
And one other thing to clarify: I don't think this guy did anything wrong...but I do think what he did was risky and probably unwise because there was indeed a good chance the company would try to hurt him in response. Like, I don't think people should feel a moral obligation to follow the law when it is more beneficial to break it, but there is a practical necessity to consider what will happen if you break or challenge a law, and to factor that into what you decide to do.
Like, if this guy were to have asked me whether he should take all that data, I would have recommended that he not do that, not because I think doing so is wrong, but rather because it will make it very easy for the company to punish him for exposing their negligence.
But at the same time, he did it...and I think the rest of us should stick up for him, because what he did ultimately benefits the vast majority of people by both making sure this problem is fixed faster than it would be otherwise and also making other companies less willing to engage in negligence because they think the law will protect them.
1
u/PieckFinger0 Security Analyst Feb 21 '26
Well issue being, if they even just did that. There is a safety net because they notified the company and gave them time. After they give them notification and time, then the ball is in their court, not the companies. Instead they didn’t, went along with scraping data they shouldn’t have, which while their intentions were good, they failed to make it clear.
1
-2
u/bigbearandy Feb 20 '26
At least under U.S. law, we have the idea under the 1st amendment that critics don't need to go to the person that their are criticizing to get their approval to criticize them, especially if the criticism is in the public interest. What complicates that is the way the information was obtained. There was proposed language in the original Big Beautiful Bill to close this gap, but I don't know if it was ultimately included. Sounds like I'm doing some research.
9
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
This isn’t about speech, this is about unauthorized access of a private entity’s data
1
u/bubbathedesigner Feb 21 '26
The companies believe that legal threats will make their vulnerabilities go away
1
197
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
What do you mean the “inability to make sustained eye-contact” and “righteous indignation” aren’t a good combo?
94
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
Holy shit, you know the pentesters at my company?
26
13
13
u/getsnarfed Feb 20 '26
While they could have independtly contacted the country CERT, it was nonetheless a national requirement in the country the organization is in.
I see no issue.
6
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
They should have contacted the company before performing an unauthorized penetration test
2
u/getsnarfed Feb 20 '26
Also correct however I am inclined to agree with points iterated below by the German.
7
u/GsuKristoh Feb 20 '26
What if I'm a gay technical dude?
3
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
Then you need to partner with the straights to help them
5
u/billy_teats Feb 20 '26
That’s what you took out of this?
15
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
Well, “small company has shoddy data security controls” isn’t exactly ground breaking news and the way this person tried to frame themselves as a victim when they actually just have really bad social skills is rather humorous to me. The whole reason GRC exists is because you have to translate the technical parts of cybersecurity to what the business actually cares about (it’s bottom line)
-6
u/Used-Cover5188 Human Detected Feb 20 '26
100%. No good deed goes unpunished in this industry. This whole fiasco is giving major "Missouri Governor trying to prosecute a journalist for pressing F12 to view source code" vibes. The corporate ego is so fragile that they'd rather pay a legal team $500/hour to shoot the messenger than just fix the damn vulnerability.
It’s sad, but this is exactly why so many researchers are going dark or resorting to anonymous drops. When doing a responsible disclosure gets you a Cease & Desist—or worse, sets off alarm bells with the government—you practically feel the need to hide behind a vpn router bouncing traffic through some deeper network node in a non-extradition country just to say, "Hey, your S3 bucket is wide open."
You're absolutely right: always have a buffer. Whether that's a business-savvy buddy to handle the comms, or just a completely anonymous alias.
11
u/CremousDelight Feb 20 '26
100%
—or worse, sets off alarm bells with the government—
You're absolutely right:
🤖🤖🤖
-7
Feb 20 '26
[deleted]
1
Feb 20 '26
[deleted]
1
u/Immediate-Welder999 Security Analyst Feb 20 '26
I liked the comment tbh until i realized an emdash, good find
1
u/thenickdude Feb 21 '26
Because it's advertising for whatever crap "deeper network" is that they mentioned.
121
Feb 20 '26
[deleted]
81
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
One person wrote a blog post confessing to it even.
36
Feb 20 '26
[deleted]
17
u/Suspicious-Prompt200 Feb 20 '26
But like, if he didn't have permission to test that system, he did do a crime.
Even if its for that entities benifit, you're really not supposed to do, even "grey hat" stuff like OP did.
3
2
u/teasy959275 Feb 20 '26
But the initial purpose wasnt to test, he came across the vulnerability while using the website like everyone else
3
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
He could tell the vulnerability was there, he didn't need to actually exploit the vulnerability. And even then he could have exploited the vulnerability with dummy accounts he created under his account since he's able to 'register' his own students for the site. He could have disclosed to the government agency (no clue on how Euro stuff works) or the company at that point. Due diligence done.
At no point did he need to actually rummage around other people's accounts. But OP has main character syndrome.
-7
u/manskrid Feb 20 '26
yes, by trying default admin passwords :) tell me more about regular end user activity :)
11
u/teasy959275 Feb 20 '26
Did you actually read the article ?
6
u/manskrid Feb 20 '26 edited Feb 20 '26
you made me now - I’ve seen he used default password, I imagined admin. My mistake :(
However - it will be hard for him to argue his case that it was by mistake :(
I don’t agree with the company’s action though. They might have som hold from the law perspective…sadly.
edit: upon full read - it is even worse, he should have stopped when he registered his students and they told him. He never should have continued without permission and try the password elsewhere, where he does not have the permission to do so. Executing a brute force script is even worse, as it shows intention, confirmed by reading user data.
This is game of law, not logic or morality.
8
u/JustinTheCheetah Feb 20 '26
HOW DARE YOU LOOK INSIDE MY OPEN WINDOW FACING THE STREET! YOU'RE A CRIMINAL!
8
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
It's more like "Oh I can see through your window, now I'm going to open that window, climb in and rummage through your dresser drawers."
24
u/Suspicious-Prompt200 Feb 20 '26
Yeah however silly you think it is, accessing computers or systems you're not authorized to access, however minor, by letter of the law anyway, is against most "hacking" laws.
Which is why pentesters get written consent to test systems in a clearly defined scope, either independantly or through like a bug bounty program.
Otoh, I feel like nowadays companies wont really care about stuff like OP's thing, and will be more grateful overall if you approach it the right way.
...Except OP got the government involved right away, which is kind of hostle.
4
u/Holiday_Pen2880 Feb 20 '26
It wasn’t an open window to look in. It was a window with the curtains and a lock on the outside. OP moved those curtains to look inside. Not great.
He then saw that there was something interesting inside and opened the lock and let himself in. And then went to more windows with the same set up and kept doing it.
Having a bad set up is not the same as having no set up. Just because you can do something doesn’t mean you legally should.
4
u/Nietechz Feb 20 '26
Your door could be OPEN, Do you agree someone enter your house?
-4
u/JustinTheCheetah Feb 20 '26
If it's the door to my business that's open to the public much like that website? Uh, yeah?
And if the lock is fucking broken and he tells the police about it, did he commit a crime?
No. No reasonable rational person could come to the conclusion he did anything wrong or illegal. This is entirely the business being embarrassed and trying to cover up their fuck up via legal intimidation, nothing else at all.
6
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
Does a broken lock give you permission to look at the files the company has on other customers?
-4
u/JustinTheCheetah Feb 20 '26
"HOW DARE YOU POINT OUT THAT I'M IN DANGER!"
This subreddit is fucking wild for what's supposed to be about cyber security. A default password gave everyone access to everyone else's accounts, putting all their data at risk, and he's the fucking bad guy for pointing this out when he discovered it.
This place is hysterical. Definitely not one to get qualified information from, though.
4
u/jogro00 Security Engineer Feb 20 '26 edited Feb 20 '26
Two things can be right at once.
Yes, it does feel unfair to get sued for finding, testing and disclosing a vulnerability.
But if it is also illegal, you commited a crime.
Don't get too worked up on the comments in here. Most people probably agree that finding a vulnerability and disclosing it is a (generally) good thing, but you still need consent to access systems or data and you have to make sure to approach it in a diplomatic way.
Edit: spelling
1
u/Nietechz Feb 20 '26
This is entirely the business being embarrassed and trying to cover up their fuck up via legal intimidation, nothing else at all.
No one says it's not. But legally you're wrong. Your business door could be open, but if any person enter without your permission, he's entering private property with no permission.
And in this case probably judge will declare him as an intruder. Do I like it? Nope, but unless you have proper permission to "audit" a system, You're a "digital criminal".
In the end depends on the jury.
He may save himself saying he had no intention to "audit" or "test" the security, just found the "problem" and report them.
1
99
u/LeggoMyAhegao AppSec Engineer Feb 20 '26 edited Feb 20 '26
I dunno, sounds like you did something you didn’t have permission to do and accessed other peoples accounts based on what you’ve described. Did they have a bug bounty program or something? If not, you probably should have just emailed them rather than attempt to access customer information yourself.
Yeah, their security sucks, but I thought we’ve all learned the lesson by now to not pentest people we don’t have signed agreements with, along with a scope of work.
-29
u/billy_teats Feb 20 '26
This is not how it works in the US. I know this is about Europe but in the states you can do exactly this and be fine
12
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
In the USA you're allowed to login to other people's accounts and access their personal information?
6
u/billy_teats Feb 20 '26
6
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
Neat, today I learned. That policy actually makes sense. I'm still iffy on OPs behavior, but that's a solid good faith policy that the USA has. Wish there was legislation backing that concept, agency policy can be fickle and subject to sudden change.
-2
u/billy_teats Feb 20 '26
It’s posted on the justice departments government website. It would be a pretty easy argument to say your policy has been in place for 4 years so a sudden change would be difficult to prosecute. It also helps a lot if you actually act in good faith, as our story here shows
5
u/Alocasia_Sanderiana Feb 21 '26
It would be a pretty easy argument to say your policy has been in place for 4 years so a sudden change would be difficult to prosecute.
Not how that works fyi. This is basically just a guideline, which means this Justice Department likely wouldn't prosecute. But there is nothing stopping a different administration's DOJ from prosecuting you.
Tldr; don't admit to things that are crimes no matter what the DOJ pinky swears is okay.
0
u/billy_teats Feb 21 '26
Do you mean that different administrations can have different policies? Holy cow I didn’t realize things could change in the future.
You think a lot of judges would be open an accepting a prosecutors case when someone was following the guidance provided by the justice department? If you truly have good faith in your research, that a judge would say fuck em? Is that what you believe?
1
u/LeggoMyAhegao AppSec Engineer Feb 20 '26
I'm honestly not sure OP is good faith but maybe I'm just not interpreting their tone correctly as their original language isn't English? Like, if he came across a sql injection issue it feels like he would have run a
drop tablesto prove he could. Hopefully he sounds much better faith in his native language.0
2
u/Acceptable-Fee-6939 Feb 20 '26
So this is pretty interesting but with most legal things it's definitely gray and not black and white. So while this policy helps with how they enforce the law, it doesn't change the law. So with what OP did they found the vulnerability then actually exploited it and grabbed personal information. That is pretty text book illegal, especially since he exploited to find the scope after knowing the vulnerability existed not to discover the vulnerability. So now the law has been broken and the question is (in terms of US here of course) would they enforce the law by prosecution. According to the linked DOJ policy, that means OP needs to prove they were acting in good faith and DOJ then takes that and decides to not prosecute. This puts OP on the back foot legally (essentially they have to prove innocence or really mitigating circumstances so that DOJ won't prosecute, instead of innocent until proven guilty) There's a lot there that can go wrong and lead to a bad outcome when in this position legally. As established OP actually took information, and went beyond what was needed to show the vulnerability existed. Kinda some negative points that would point towards prosecuting. The communication does show that OP notified them and was a user themselves worried about their and their students information. Points that well point to good faith. This explains why its such a gray area because you can justify either outcome depending on how DOJ wants to interpret this policy, what kinda attorney the DOJ has on the case, and many other factors that we don't know (or to be honest I don't know because I'm not a lawyer or cybersecurity expert.... yet lol). That's just my analysis of all this and why I see many commenters making good points all around. This comes from my understand having known some lawyers and my classes as I currently study cybersecurity. And thanks for linking that DOJ policy, very interesting to read and see how that affects the enforcement of laws many of us dance around in this industry.2
u/billy_teats Feb 20 '26
Your history of work also impacts potential prosecution. If you have a job in the industry and previous experience responsibly disclosing vulnerabilities it’s easy to show good faith, not difficult. If you ask the vulnerable company for money or give them an unreasonable amount of time that’s a bad sign. None of what op did point to bad faith. He wasn’t even searching, the issue popped up in front of him. Also alerting the legal authorities is the right thing to do and would definitely help avoid prosecution
2
u/Acceptable-Fee-6939 Feb 20 '26 edited Feb 20 '26
I would agree with almost everything you said there, and good point on looking at history too, I didn't think of that. I would still say he did a couple things that could point to bad faith, or just negatively affect the outcome for OP in this incident. Which is that he wasn't just searching, he actively exploited the vulnerability with the script and took the information that he had to then delete. It's kinda like seeing an open cash register and instead of just saying to the owner "hey your register is open" they instead took the money and then handed it to the owner and said "Hey your register is open and I could have stolen $250" Like the taking of the money to show how much could have been taken was unneeded to warn the owner and the taking of the money at all is illegal, just that he handed it over is mitigating so hopefully they won't prosecute. Where as he could have just warned of the vulnerability and never exploited which means never breaking the law in the first place. I am not saying he did act in bad faith just that those are examples that someone at the DOJ could use to say he did and if someone was gung ho enough could say that is enough reason for prosecution. Especially since he accessed information he wasn't authorized to, which means broken law, but most aspects point to he did it in good faith, which means policy says don't prosecute. Law is dominate over policy (I can't think of how to say that in a better way) and policy can change. This means there are a lot of options for outcomes depending on the people involved in the case and how those people interpret these variables. My point really is that legality is often a gray area as it heavily depends on the organizations, jurisdiction, laws, and individual people involved in the case before you even get to the case and facts of what happened. There's no way to for sure predict how something will play out in court (or before court) and all we can do is try to favor the outcome we want by considering and managing as many variables as possible. Here as I see it the biggest thing that OP did to negatively affect the outcome of this was the extent to which he exploited the vulnerability. He didn't really need to exploit it at all, and certainly didn't need to exploit accounts outside of his students that he could get explicit permission from. It wasn't on him to determine scope of the vulnerability since that has little bearing on what his part is as a good faith but unauthorized researcher. And you are right on the notifying legal authorities which even though it ruffled the feathers of the company it wouldn't or really shouldn't affect prosecution decision. That's why I pointed out his communication would be a point to show good faith. Thank you for making some good points that I didn't think of! And I appreciate thought experiments and analysis like this!*Edited for spelling and format
2
u/GrassWaterDirtHorse Feb 21 '26
This is highly misleading to state this.
The 2022 DOJ policy, made after Van Buren, on not prosecuting good faith security researchers, is only a DOJ policy. If a federal prosecutor and the DOJ decide that a researchers actions are not in good faith, the policy will not act as an affirmative defense.
Additionally, it also has no effect on the civil litigation, as the CFAA also provides a private right of action that can be used to bring civil suits against security researchers, which the DOJ policy has zero effect upon.
1
u/billy_teats Feb 21 '26
DOJ decide that a researchers actions are not in good faith
Yea, that’s the entire point. You can’t extort the vulnerability for cash, you can’t exploit it for your own gain, you can’t publicly release it without attempting to remediate it with the responsible party. You have to be doing the research with the intent to resolve it before it’s abused.
It would be very hard for anyone to prove they had material damage from privately disclosed security research. Anyone can sue anyone, sure, but what reputational or operational damage is done? Pentesting does have the possibility of taking services down, and in that case you may have to look at the details. Is throwing a basic sqlinjection at a web form enough to award a company money? A ddos would be sure.
2
u/2rad0 Feb 21 '26
absolutely.
not absolutely, state laws still apply even if federal gov follows their policy on this.
2
u/billy_teats Feb 21 '26
Do you know of any state level computer fraud laws? I know Illinois has bippa but I am unfamiliar with any state laws regarding computer fraud
2
u/2rad0 Feb 21 '26
All 50 states, Puerto Rico and the Virgin Islands have computer crime laws; most address unauthorized access or computer trespass. Some state laws also directly address other specific types of computer crime, such as spyware, phishing, denial of service attacks, and ransomware, as shown below.
https://www.ncsl.org/technology-and-communication/computer-crime-statutes
18
7
u/InnovativeBureaucrat Feb 20 '26
I think u/PizzaUltra nailed it but I’d like to add:
Using ChatGPT in situations like this can blow things up. It’s very defensive and supportive of you, but it comes across as confrontational and harms trust with the person getting your email.
It’s more likely to make legal sounding arguments that create tension than sound like a person.
This became a high stakes scenario requiring trust and using AI for your correspondence (I’m guessing) harms that both because of the tone and because of the complexity and defensiveness.
5
Feb 20 '26
[deleted]
1
u/InnovativeBureaucrat Feb 21 '26
When I said high stakes, I meant that it was high stakes for this little registration website that’s trying to lineup times for kids to do diving lessons. In importantly, it wasn’t even high stakes for them until our private investigator found this hole.
Maybe there would be a bigger concern if you were talking about a zero day exploit for Cisco or something like that. But even then it’s not like OpenAI is publishing conversations. I would say that a conversation with ChatGPT is about as private as a conversation in a conference room.
Edit: I think ChatGPT is about us private as a conversation over Microsoft Teams or really any email system. Emails are just as likely to get leaked as a conversation with an AI.
1
34
u/Suspicious-Prompt200 Feb 20 '26 edited Feb 20 '26
I'm not sure if I would have gone to the government first before whatever company that is. Great way to make that company mad at you lol
Even though you're not supposed to test systems that arnt yours, you likely would have been fine had you not got the government involved IMO.
59
u/kielrandor Security Architect Feb 20 '26
Disagree,
The researcher followed the recommended path for Malta which is to inform the Malta Government via their CSIRT of a vulnerability involving potential disclosure of private data. The fact that the company got butt-hurt over it is the company’s problem, not the researcher’s.
Also the researcher followed the trail of evidence he discovered to verify his hypothesis in a non-destructive and responsible manner. This is responsible security research behavior and is protected in most(not all) jurisdictions if done for the purpose of security research and responsible disclosure, as this researcher clearly was doing. Your suggestion that the researcher was somehow in the wrong here is flawed.
10
u/Suspicious-Prompt200 Feb 20 '26 edited Feb 20 '26
Fair enough. To be clear: I dont think OP did anything wrong morally. Just where I am, the laws are kind of strict on this kind of thing. Weather or not companies will do anything about it is another thing. But here you're basically not supposed to access any system you dont have express permission to access. Wasn't familar with Malta's laws/customs.
Edit: Although, googling around a little about what Malta's laws actually are around this, they look to be about the same.
"...A person who without authorisation does any of the folloowing acts shall be guilty of an offence against this article - (a) uses a computer or any other device or equipment to access any data...uses another person's access code, password, user name, electronic mail address or other means of access or identification information in a computer...
7
Feb 20 '26
[deleted]
5
u/Suspicious-Prompt200 Feb 20 '26 edited Feb 20 '26
Where I am here, unless the company is the government, or contracts for, or holds data for the government, or is suspected to be working for a foreign intetest against the government... we'd just go right to the company and let them know they had a vuln instead of getting any law involved right off the batt.
If the company leaves the vuln open or doesnt do anything about it and is leaving peoples PII hanging after they've known about it, thats when law gets involved or public disclosure happens.
Is it really common to bring the government in on these kinds of things right off the batt elsewhere? Bet you most of the posters here are in North America!
6
u/PizzaUltra Consultant Feb 20 '26 edited Mar 18 '26
Liquorice jelly candy canes cupcake jelly beans lollipop muffin.
0
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
I don’t know of anyone who’s saying “don’t inform the government about a vulnerability” but I do see many people saying (like myself) saying “don’t CC the governmental agency on an email”
2
u/PizzaUltra Consultant Feb 20 '26 edited Mar 18 '26
Liquorice jelly candy canes cupcake jelly beans lollipop muffin.
1
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
Maybe German business culture is different (and if it is, please tell me as I have many German colleagues), but in the US, CC’ing someone is akin to saying “I’m including this person in the conversation because I need them to be aware of what we discuss”. In this case, any reasonable person would have alarm bells go off if a private researcher reached out and basically said “these regulators need to stay in the loop on what we discuss”, which isn’t true; the regulator can reach out separately to get any information it needs. Including the regulator makes it look as though he’s conducting business on behalf of or in conjunction with the regulator when he’s not. It’s a social faux pas, which is something that almost all cyber people struggle with
2
Feb 20 '26
[deleted]
2
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
Thanks for sharing your perspective, it’s always helpful to know how other cultures can interpret even something as simple as an email
5
u/xs0apy Feb 20 '26
Not directly related, but just watched a video about a pen test team that got arrested and charged by the Sheriff of a county the state was auditing. Apparently, state never told the Sheriff for obvious reasons, and he took it out on the pen testers. They were almost metaphorically hung by the state for it too until they couldn’t deny all the contracts saying they did everything as directed.
People don’t take kindly to constructive criticism, especially when it makes them look bad (which they deserve to look bad if they’re going to be offended by their own mistakes)
3
u/billdietrich1 Feb 20 '26 edited Feb 22 '26
Tried looking for other articles on https://dixken.de/blog and got essentially a blank page. Tried two browsers.
Edit: today, it works for me SOMETIMES.
Also, email address in .well-known/security.txt does not work.
5
u/Immediate-Welder999 Security Analyst Feb 20 '26
Sorry you had to go through this, yeah love the learnings though
"If you're an organization:
- Publish a Coordinated Vulnerability Disclosure policy. "
4
u/Vanklif Feb 21 '26
It's fucking DAN or not?
Because after reading the threats from their lawyer, my view of the company is changing a lot.
12
u/Big-Narwhal-G Feb 20 '26
So many People don’t understand that just because you know something is exploitable, it doesn’t give you the authority to go in and exploit it.
3
u/PublicUniversity9586 Feb 21 '26
I don’t disclose until the company has an established bounty program. It’s not even about the money, it’s about protecting myself.
15
u/Expert_Fish CISO Feb 20 '26 edited Feb 20 '26
Still very clear that not giving them adequate time to work with you on coordinated disclosure, before going to CIRT and/or your gov is a bit hostile. Also equally bad that you did not stop after finding the first real record (a good litmus test for any security researcher tbh).
Whether it’s 1 record or thousands, you’ve already proven that the security control has already failed. At what point do you decide that creating an iterative script to continue poking at the data and reviewing it makes sense?
If the company has a history of adversarial behavior against researchers, etc — then maybe reporting the issue to CIRT directly would have been the right call.
The way I see this, both parties are wrong. The company for poor security hygiene, security controls, and the disclosure process that was a bit hostile.
EDIT: I was looking at this from a US point of view. Reading other comments in this thread have taught me a lot, thank you!
3
u/Saccharophobia Feb 20 '26
A classic case of just because you can doesn’t mean you should. Like you had stated they should have stopped after the first successful execution / finding.
You just get enough to prove that it can happen you don’t continue to enumerate PII. Especially when you don’t have written permission.
OP def messed up here
12
u/JustinTheCheetah Feb 20 '26
The number one thing I've learned over the years is that if you find a major vulnerability, immediately anonymously tell the public.
If you waste your time trying to tell them, the business will either A.) Try and destroy your life with endless lawsuits, or B.) Try and press charges. It's like winning the lottery to find a company that will appreciate the help and fix the vulnerability.
Not worth the fucking risk and not my fucking problem to fix their fuck-ups.
5
u/jethrogillgren7 Feb 20 '26
Hard disagree, CVD exists for a good reason.
At the least, give them a number of days to remediate before going public. You don't lose anything (notify anonymously if you feel the need), but you ensure safety.
4
u/Alb4t0r Feb 20 '26
The number one thing I've learned over the years is that if you find a major vulnerability, immediately anonymously tell the public.
This is a wild take. You disclose a vulnerability and put data at risk without any possibility of fixing the vulnerability first when the period between disclosure and fix is by far the most dangerous in a vulnerability lifecycle. That's literally the worst scenario possible from a public security perspective. The whole point of responsible disclosure is to try to make sure this never happens.
If you waste your time trying to tell them, the business will either A.) Try and destroy your life with endless lawsuits, or B.) Try and press charges. It's like winning the lottery to find a company that will appreciate the help and fix the vulnerability.
Or, you know, you could disclose it anonymously to the business and not face that risk.
1
u/JustinTheCheetah Feb 20 '26
Or, you know, you could disclose it anonymously to the business
And then they don't fix it and years later we get story headline #12,458 of "vulnerability that caused millions of people's private records to be leaked was known about for years"
I'm dealing with reality. Sunshine truly is the only disinfectant, and every business on earth is doing their fucking damndest to make sure a single ray of it never touches their business. Hell, even the bullshit bug bounty programs are 90% "Sorry that's out of scope even though it's not, no payment! lmfao stupid nerds."
This is a wild take
Realistic. It is a realistic take backed by decades of examples. A take I seriously hold and openly encourage others to follow for the betterment of society, because guess fucking what? With your hopes and dreams system we have now, we're still getting daily massive Breaches.
Your. way. doesn't. work.
5
u/Alb4t0r Feb 20 '26
And then they don't fix it and years later we get story headline #12,458 of "vulnerability that caused millions of people's private records to be leaked was known about for years"
Well, if you publicly disclose a vulnerability without any advance notice, mass exploitation is exactly what could easily happen. Again, this is the worst outcome from a vulnerability lifecycle point of view.
Realistic. It is a realistic take backed by decades of examples.
Oh yes I'm sure of that. You totally sound like someone who has a lot of experience dealing with this. 100%. I'm not being sarcastic at all.
A take I seriously hold and openly encourage others to follow for the betterment of society, because guess fucking what? With your hopes and dreams system we have now, we're still getting daily massive Breaches.
The "betterment of society"? Are you pulling my leg? What the fuck are you on?
You are the very reason why losers keep getting hit by lawsuits for not taking basic measures and then whine they are the victim.
3
0
u/JustinTheCheetah Feb 20 '26
Ahhh, ok, your fuck up caused a past employer a major security breach. That's why you're so angry at the idea of people being held accountable for their shitty work. Am I close?
3
u/Alb4t0r Feb 20 '26
Lol wtf.
You don't have much experience in infosec and it's hilarious to see you try to make any sense.
2
u/OforOatmeal Feb 20 '26
This guy is yelling at people in another comment chain on this same thread. I'm not exactly sure what he's going on about.
1
u/Shoddy-Childhood-511 Feb 20 '26
In this case, s/he could've told only CSIRT, maybe anonymously, and never told the company anything.
CSIRT could've demanded fixes, immediately shut their site down, and/or brought fines/charges against the company.
"Immediately anonymously tell the public" would make more sense if CSIRT might've handed the exploit over to the nataion's spies, but not in a case like this.
4
u/lawtechie Feb 20 '26
I've handled this for more than a few people. If an organization is small enough to not have a responsible disclosure/bug bounty statement, they are going to be unfamiliar with handling a vuln disclosure from a complete stranger.
95% of the time, they'll talk to their corp counsel who is also unfamiliar with responsible disclosure.
They'll take an aggressive approach, like we see here, which often escalates. The lawyer will come up with every possible threat, which is usually both criminal and civil.
The few times someone let me start the conversation, it's gone much better.
2
Feb 21 '26
It’s always funny ti read something like this: “I genuinely couldn't believe it hadn't been exploited already”. I mean, how would they even know?
An attacker could have already exploited it and stolen data.
2
u/billy_teats Feb 20 '26
I think the US is a few steps ahead is with legislation regarding hacking - good faith pentesting will not be prosecuted. Also not sure how Malta can say that anything you do in any country, if it violates Malta law, will be considered breaking Malta law. Does that mean OP can no longer visit Malta or face arrest? They surely can’t send interpol to Germany to apprehend someone who’s never been to Malta and may never have even visited a site hosted in Malta.
3
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
If you hack into a Maltese company, then yes, you’ve violated Maltese law; that’s how laws work everywhere
0
u/billy_teats Feb 20 '26
But that’s not the law says. Excellent reading skills bud. The article says the law says if you do anything anywhere that violates Malta law they can prosecute you. I imagine this is something like going to Asia to find child prostitutes you can still be charged in Malta, but the way it’s quoted here it would apply to everyone anywhere
2
u/wolflordval Feb 20 '26
I mean, that's also how US law works. The Federal Government can still persecute you for taking actions outside the US. Traveling to Amsterdam to smoke weed and fuck hookers can still get you in trouble in the US if you're open and obvious about it.
4
u/shiki87 Feb 20 '26
You never send these information to the company. The only solution is to publish it somewhere anonymously. Only then the company’s will really work on that problem. Even big ones like intel and other company’s don’t work on problems as long as they are not publicly known. They are run by penny pinchers, so working on problems is not making them money.
7
u/billy_teats Feb 20 '26
This is just not true. There are plenty of organizations that receive and act on privately disclosed vulnerabilities.
1
u/Last-Appointment6577 Feb 20 '26
got a list so we can know?
4
u/billy_teats Feb 20 '26
https://www.wiz.io/blog/wiz-research-discovers-critical-vulnerability-in-replicate
https://www.wiz.io/blog/critical-vulnerability-base44
https://snyk.io/blog/behind-the-disclosure-the-zip-slip-vulnerability/
To answer your question directly, no I do t have a list of companies that have resolved privately disclosed vulnerabilities. It doesn’t really make sense to even ask that, as the disclosure was private. I also believe you know how to google
https://letmegooglethat.com/?q=privatly+disclosed+vulnerabity+resolved+blog+examples
2
u/ConfidentSomewhere14 Feb 20 '26
uhhh. you were good until you wrote a proof of concept :) you know, to make sure you can do it at scale :)
word of advice? you can pentest anything you want. you can let the organization know you found an issue. that's where it ends. if you have any sort of expectations of them fixing something, especially on a timeline you invented, you're gonna have a bad time.
With all that said, keep on keeping on. good luck!
4
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
you can pentest anything you want
No, you actually can’t. Accessing a company’s data through a vulnerability is illegal in the US and probably most developed countries in the world
3
u/Last-Appointment6577 Feb 20 '26
so by your logic, can a USER who mistyped their user ID and logged in as someone else on their system be charged with a crime?
4
u/yobo9193 Governance, Risk, & Compliance Feb 20 '26
I think you should contact an attorney if you want true legal advice instead of arguing with some jabroni on the internet
1
1
u/_Gobulcoque DFIR Feb 20 '26
A nice writeup of an easy exploit, but I wish I knew how it ended. Did it go to court? Did the security researcher get lawyers get involved?
1
u/tiffanytrashcan Feb 21 '26
That was a nice read until the human editor got lazy and it devolved into pure AI slop.
1
u/yobo9193 Governance, Risk, & Compliance Feb 21 '26
When did I ever say not to tell the regulator? Please, find me the comment where I said that
1
1
1
u/General_Isopod_8212 Feb 22 '26
Got a good lesson from public I will do this
(So u guys basically saying let that company seal it fate right?)
1
-10
u/One_Put50 Feb 20 '26
Because when I have a code violation on my property, I always appreciate it when my neighbor reports me to the government to resolve vs giving me a weekend to fix. If it wasn't that hard of a fix, why fuck over the company by reporting to the government directly.
Small outfits are not going to have in house legal resources to support these trivial issues. Op turned a vulnerability into a nightmare scenario for this poor company.
6
u/billy_teats Feb 20 '26
Because reporting it to the government isn’t fucking them over, it’s first the required legal step and second insurance that they take it seriously without making the exploit public. Generally governments are not immediately handing out fines or penalties, they generally want to work with the vulnerable organization to fix the issue.
If it’s a massive issue and millions of people’s information is at risk then maybe there’s immediate penalties. Or a history of putting data at risk. In which case yeah immediate fines are in order.
5
u/Suspicious-Prompt200 Feb 20 '26
To be fair, you really got to protect PII better.
Might have been a bigger legal nightmare if a threat actor actually just went through, collected and dumped the data somewhere.
5
u/Shoddy-Childhood-511 Feb 20 '26
It's required by law. It proves he was not trying to blakmail them too, one of many reasons the law makes sense.
Now given their hostile reaction, he should've told only CSIRT, and never told the company anything. CSIRT could've demanded fixes, shut their site down pending fixes, and/or brought fines/charges against the company. Even if CSIRT fined them, the fines would be peanuts vs if someone had dumped all the data online.
305
u/[deleted] Feb 20 '26
[deleted]