
Clinkle gets hacked before it even launches - austenallred
http://techcrunch.com/2014/01/30/clinkle-gets-hacked-before-it-even-launches/
======
sergiotapia
Oh please, this is not a hack. Just someone who found an internal-use
TEMPORARY api endpoint and ran a search query. The API did what it was
programmed to do, give me a break.

~~~
MichaelGG
While I agree just finding something isn't hacking per-se, "did what it was
programmed to do" is a terrible excuse. By that definition, no exploit was
hacking because it "did what it was programmed to do". Even saying "yeah it's
like that by design" doesn't really excuse it.

~~~
codystebbins
Except in this case, as the parent mentions, it's not an excuse. Why would you
secure a type-ahead API that only has access to employee testing data?

It is by design that if someone finds the API they will be able to use it
without authentication and nothing is required on behalf of the "hacker" to
access it. Are all users of software hackers under this definition?

I do not believe they are lying in their statement that it was temporarily
open and intended to be closed, it makes sense to me why that effort would be
put off for test data.

------
revelation
_[Note: Twitter has a similar tool with the same name — it 's unclear if
they're one and the same.]_

Lots of 'what?' moments in tech reporting lately...

~~~
FajitaNachos
Twitter does have a library named typeahead. I'm not sure if you meant that
was obvious, or I'm just missing the point.

[http://twitter.github.io/typeahead.js/](http://twitter.github.io/typeahead.js/)

~~~
revelation
This was a private API endpoint. typeahead is a client-side library for a
fancy autocomplete textbox from Twitter. It needs a lot of clueless to somehow
connect the two things as if they were one and the same.

------
zebra
You can't "hack" service that doesn't exist. (I mean that until they launch
this software is something obscure from the depths of internet, not a real
service.)

~~~
krapp
It does exist, though whether this counts as a hack is a fair question.

------
joshmcmillan
A mixture of camelCase and snake_case? A travesty.

~~~
georgemcbay
I wish I could upvote this more than once.

------
catmanjan
First comment on article from a Clinkle engineer:

"how is this different from facebook or google plus search? i type in
someone's name, i get back their full name, profile photo, phone number if
it's public, etc."

Fair enough, the only real personal information is your telephone number, and
we don't know if they are operating like the white pages, opting out of
displaying that publicly.

~~~
21echoes
later on in the thread, the engineer specifies that users can make their phone
numbers private.

------
morgante
That's an extraordinarily generous definition of hacking.

~~~
benologist
AOL employs an extraordinarily generous definition of journalists.

------
jlgaddis
On one hand, I'm thinking "meh, it's in testing, it's not live, no big deal".

On the other hand, I'm thinking "how much other stuff are they going to forget
to lock down when they go live?"

There are two quotes on the back of my business cards. One of them says, "If
you don't have the time to do it right, when you will have the time to do it
over?"

------
immad
The developers of Clinkle should try to get the FBI to do a court case based
on the Computer Fraud and Abuse Act.

------
minimaxir
According to the Pastebin dump, one user has a user_id = 0

Why would you even design an application to allow that? Even if the user was
deleted (as potentially indicated by a null phone number), it's still a
conflict.

~~~
X-Istence
Why wouldn't you want a user_id being 0?

~~~
supergauntlet
I believe it has to do with Unix-like OSes always assigning the UID 0 to root.

~~~
lgas
This doesn't make any sense unless for some reason you are creating unix users
based on the users in your application and using the application user ID as
the unix user ID which would be silly.

------
21echoes
in what world is a public profile search by name called "hacking"?

~~~
georgemcbay
The same one where Andrew "weev" Auernheimer is in jail for three and a half
years for doing essentially the same thing?

~~~
21echoes
so i'm about to go to jail for using the facebook search bar?

and weev actually had to do work to break the AT&T service... this looks like
he just searched for users.

~~~
georgemcbay
For using a website's search bar, no, but for using "hacker tools" like Chrome
Developer Tools' Network tab, seeing the resulting http data and then
rewriting it with a trivial value change and rePOSTing that to the server --
very possibly, if you happen to stumble upon a security issue that gives you
data beyond what the company initially expected you to get.

My point isn't to vilify the unknown "hacker" here but rather to suggest that
what is or isn't hacking varies greatly upon whose point of view you're
looking at things from, and how badly they'd like to shift the blame for their
errors to someone else, and how willing they are to go after you with the full
force of a federal prosecutor all too willing to jump on a trending gravy-
train. We've set some very dangerous recent precedents where trivial "hacks"
have resulted in very serious punishments.

------
founder4fun
PR stunt?

~~~
georgemcbay
I doubt it, if so it is horribly misguided.

This is the first I've heard of the company and I'm not inclined to use a
payment processing company where my first impression of them is they "leak
user data like a sieve".

Granted, they are still in development, this can all change, etc, but my first
impression is now set, and not in a positive way.

~~~
dmix
This is after their "leaked youtube video" proceeded to "reveal all" about
them. Then turned out not to, or something.

More exciting trend-hopping startup news out of Silicon Valley and Techcrunch.

[http://techcrunch.com/2013/09/30/leaked-youtube-video-
tumblr...](http://techcrunch.com/2013/09/30/leaked-youtube-video-tumblr-blog-
reveal-all-about-stealthy-payments-startup-clinkle/)

------
tzs
MHP?

