Hacker News new | comments | ask | show | jobs | submit login

I discovered the bug yesterday, followed responsible disclosure with US CERT (based at CMU, so we got things moving very quickly there), and the bug is now fixed.

If the CFAA bars legitimate security research like this, then we would all be truly fucked.

"If the CFAA bars legitimate security research like this, then we would all be truly fucked."

You must be new here. This is why we have all been saying that the CFAA is truly fucked, for many years now :)

But yes, you did play with fire on this one. People have been convicted for far more innocent activities than this. I assume you're a student or recent grad and may be a bit optimistic about the world we are in. Don't fuck around under your real name or IP address when you do this kind of thing. "Accidentally" dropping a ' into a webform just to see what happens is one thing, but you won't be able to feign innocence with something this involved. Unless you are both the client and the server, or the other party is unambiguously inviting testing (such as a bug bounty), you have no claim to legitimate security research.

It's still awesome that you found and drew attention to this. It's important work. But, cover your ass next time, or know what you're getting into. Especially hitting obscure companies like this, who notoriously exist in a culture very unlike the typical valley-type company, where such activity makes them feel very threatened and outraged, often turning to law enforcement or initiating legal action.

Also, the term you're looking for is coordinated disclosure. Do not let the vendors define "responsibility" as they have attempted to do with the injection of that term into the lexicon ;)

CFAA probably does bar research like this; your right to test something for security flaws technically ends where someone else's server hardware begins. In reality, the optics of this vulnerability are so bad that you are vanishingly unlikely to take any legal shit for it. But be careful extrapolating from it. If you have questions about the legality of this kind of testing (and you should): consult a lawyer. Small price to pay.

It's a good find. Congrats.

Wait, yesterday? And the fix is already deployed to production today? That's either some truly impressive engineering from a company that made a freshman-year-level security mistake, or whatever patch they put in place to fix this is just as leaky as the original bugged version and it's just a matter of time.

Theory: Devops disabled the security flag on the JSON API, in order to perform integration tests, then didn't enabled it until reminded.

This for sure! My theory has also been that it's possible they literally just needed to add "if (subscriptionApproved) {" to the top. Not exactly a ton of code!

They just killed the try page entirely. It's now a redirect to the home page. Hopefully they don’t try to bring that page back up without fixing all the bugs...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact