I'm with lemonade here. This is a case of users sharing a hyperlink to a private page - a little like when you share a Google Doc with access to "anyone with the link".
The user shouldn't then complain if they give the link to everyone on the web via social media.
This exact pattern is also something less legit security researchers do deliberately to try to coerce companies into paying bounties. They deliberately try to leak OAuth tokens, verification URLs, Auth cookies and other secrets into Google search results, and then claim your site is insecure because "anyone with Google can see my private data!"
The conflict of interests by both parties here (short seller and lemonade) and lack of any real details makes it hard to form a conclusive opinion on this one.
Wow! I'm a lemonade customer and the fact that leadership twice mentions that leaking customer data is by design, is mind-boggling to me. What product owner would suggest such a feature!?
"1/ Let’s set things straight up front: What @muddywatersre found were links to 4 insurance quotes shared by Lemonade users themselves. (aka, they loved it so much, they shared ‘em).
That is not a vulnerability, it’s by design!"
"2/ We designed our quotes to be shareable. If someone wants to send their quote to their family, friends, or mortgage bank, they can. Btw, turns out people post their quotes on Pinterest and UX blogs, and these are the ones they stumbled upon"
"3/ Since Google indexes Pinterest and blogs, these links end up being discoverable on Google."
I don’t get it. It appears that what is being “leaked” is quoted that users are choosing to share publicly on a public web page which then gets indexed by search engines.
What’s the actual vulnerability here?
The only “vulnerability” is the short seller saying that they were able to log into the users account, but if they were able to log into the users account, why were they only able to access their name and quote, information the users had chosen to share publicly, and were not able to access a whole host of other data that would be available if one were able to log in to a users account.
Even if it‘s by design that you can share a page, you shouldn‘t be able to change account data should you? And it sounds like the author didn‘t share their page and it was still accessible.
The user shouldn't then complain if they give the link to everyone on the web via social media.
This exact pattern is also something less legit security researchers do deliberately to try to coerce companies into paying bounties. They deliberately try to leak OAuth tokens, verification URLs, Auth cookies and other secrets into Google search results, and then claim your site is insecure because "anyone with Google can see my private data!"