

What would you do? - ewokhead

I have been tinkering with the API of a pretty popular web service and I discovered that the email address of every user is easily mined from the site. The issue I have is that they say that they do not disclose any personally identifying information but by combining different API calls you can trigger a disclosure of user email addresses. It looks intentional as well.&#60;p&#62;I am in the process of writing code that will allow anyone to harvest the email addresses but I do not want to make it public. Is the public disclosure of email addresses a problem or just something that I am worrying about for no reason? I feel like businesses should be more careful about how they treat customers and how they treat customer data.
======
solox3
While it might be the case that they have a vulnerability somewhere, in that
[the email address of every user is easily mined from the site], there are few
reasons to [write code that will allow anyone to harvest the email addresses].

Yes, [businesses should be more careful about how they treat customers and how
they treat customer data], and I agree you should submit some sort of proof-
of-concept to the web service, privately, to improve [how they treat customers
and how they treat customer data].

~~~
ewokhead
Yes, I would definitely keep it private. How could I say I cared about the
disclosure of personal data and then disclose it? Thanks Solo3.

------
jat1
You should probably email them first to check that they are aware of the issue
or if indeed it is intentional.

If it is, and it is not mentioned in their T+Cs or anywhere on their site so
that their customers are aware that their affiliation with the service can be
discovered easily by third parties then I would consider it a problem. In this
case I think disclosing the company name so that its customers are informed is
not an issue but I would not release the tool to get the data.

