
Giggle; Laughable Security - DyslexicAtheist
https://research.digitalinterruption.com/2020/09/10/giggle-laughable-security/
======
p410n3
With vulnerabilities like these, there is a big problem in my opinion. Who
actually ever reports these?

The thing with vulnerabilities like describes in the post is that they are SO
EASY that you dont need any special infosec expertise. All you need is to be
able to install a program and use a REST api

I would go as far as to say that this can almost be described as an open
database. The API completely exposed anything.

But how would Giggle find out about this if not for the OP? Their own
engineers were either oblivious to any security practices because they are
beginners, or they were ignorant about them (or didnt get enough money to
actually care).

A company like this will NEVER hire a pentesting company.

The kind of company that does actually pay for pentests however, are very
unlikely to have vulnerabilities that trivially exploited.

Which leaves us with only two groups that will care about stuff like this:
Cyber-Criminals and Hobby Hackers.

The former will gladly pick that low hanging fruit for them, while the latter
has time and time again experienced abuse by the people they reported
vulnerabilities to. (Free of Charge of course).

What do you do? Drop an anonymous hint at your CERT? Those will get ignored
because they are anonymous are they not? Do you give your full name? Thats
dangerous too. The case of Alberto Hill[0] highlights this.

[0]:
[https://darknetdiaries.com/episode/25/](https://darknetdiaries.com/episode/25/)

------
smokelegend
I saw this unfold on infosec twitter, the CEO really dropped the ball on
handling this incident professionally.

The security researcher did nothing wrong here [IMHO], they tried to report a
security flaw in the app. CEO got pissed, took it as a attack personally
instead of thinking of the responsibility of users safety on the app. (All the
while promoting her app as a safe place for users to share sensitive
information.[i.e. photos, DOB, address, phone number, GPS location).

Sad to see this type of response; the CEO has a lot to learn from this
situation about security for users and how to deal with security researchers.

Live n learn...

~~~
nix23
>Sad to see this type of response; the CEO has a lot to learn from this
situation about security for users and how to deal with security researchers.

This happens when you use twitter and mix your company with your personal
matters, you take it personal because your "baby" has a flaw, and not your
product.

Also, to all the future CEO's, STOP using twitter for anything else then
professional matters. You probably don't want to emulate Mr. Trump. Talk about
your product, your visions and the cool stuff you achieve with your team. Not
about you or the shit you read on others twitter accounts, don't politicize
your product but put a vision behind it.

------
rmtech
> "we know this can often be notorious for mischaracterising and therefore
> excluding certain racial groups, some trans women"

If you have an app that's supposed to be only for women but you don't want to
exclude any trans women, how do you exclude a man pretending to be a trans
woman? Is there any objective difference between a real trans woman and a fake
trans woman?

~~~
Eldt
According to the CEO, trans women are actually men.

