dbkDec 20, 2022

Hello Mastodon! I haven't really posted anything here since I'm socially awkward but I come with a cry for help.

I am not a security professional (although I strive to be), just an engineer so I need some advice. I found an unprotected endpoint on one of the sites I use daily for my business that allows read access to all documents, regardless of who they belong to. I disclosed the vulnerability with the company that owns the platform and their dev team is already working on a fix. The thing is, their OpSec is pretty much non-existent and I lack the knowledge to know what to do here. Is this something that should be disclosed to the public after it's patched? I also want to recommend they check their logs to see if someone has exploited this before, but I lack the confidence lol.

Could anyone tell me how I should recommend they handle this? Is this maybe something I should NOT do?

Thank you lovely people :)
#opsec #redteam #vulnerability #disclosure #infosec

Show threadZebra NorthDec 20, 2022

@deathbyknowledge Hi! Not an infosec guy but I have found myself in your situation a couple of times. My advice is to not push the issue too much - you've alerted them to it, and that's all you can do.

Some companies can be combative and will accuse you of hacking them, and what you did was technically illegal (yes really).

Show threaddbk

@ZebraNorth Thanks for the tip. They have not been combative at all so far, but you never know.

The only urge I have is... my data is there too. I'd like to know if it has been compromised :/

Dec 20, 2022 at 11:22amWeb