I did contact them via every medium I could find, not just email. Obviously, the response these folks got from the company should have told them they were talking to the wrong person, and they should have been more vigilant in attempting to contact the right person.
Their response was that it is not bad system or insecure because the information is only available for logged users. So the api just needs authentication header.
So all the user data could have been easily collected to own database using simple script.
What does this mean? They tracked you down?
From my perspective, protecting the data of 10k users was just as important as— or more important than— protecting the data of 1.5m users.
I feel bad when people assume negative intent. I don’t think anyone at this company wanted to violate the privacy of their users— they just didn’t get the message through the right channels.
care to elaborate on a logic behind that?
1) early users feel the most connected with your technology and are the most hurt when you screw them over. At that stage, it can sink your company.
2) fixing this when you have 10k users prevents you from leaking the data of the next 1.49m users.
Smaller companies that don’t have a bug bounty might provide a token reward just because, larger companies generally won’t.
Any company that hasn’t explicitly authorized ‘research’ might also choose to sue.
It’s not because everybody stink that you know they/their stink or can exploit it.
It's a good example of how concerning this is but they should have shown fake data there since this is still user's private data...
I am sure some civil servent could argue that know if people in "positions of power" were using suchs apps that opened them up bo blackmail and that they should be therefore checked as aprecaution.
So it looks like the crappy cctv is getting an upgrade
Privacy is important, however, so apps/services should not leak this kind of info. That's still a thing regardless of what the repercussions of leaked data could mean.
"vote for this or we expose your $recent_embarrassing_breach data" is quite a powerful ultimatum, no? and the only way to win is not to play (e.g. never download + use a potentially embarrassing app), and we know that many aren't so digitally savvy, so this seems like a gold mine for nefarious uses.
i dunno, maybe it's too tin foily but it feels inevitable.
Although I heard they targeted a personal phone, I don't think it makes that much difference. Computers are insecure in all sorts of ways, whether it's your own phone or somebody's servers.
In that case they were trying to blackmail him into making some public statement, with pretty high stakes as far as I remember.
Kudos to him for not capitulating!
Or their blackmailers require the social engagements and outwardly positive attitude as part of the blackmail.
1) Companies collecting massive amounts of data will only use the data in a lawful and ethical fashion, even in cases where they perceive there to be a potential for significant gain in misuse.
2) Companies collecting massive amounts of data will, sooner or later, use that data in an unlawful or unethical fashion to exploit others in a way that stands to potentially significantly boost their power/influence/wealth.
I'm going a far step above beyond and suggesting the exploitation will come, not from leaks, but directly from the data harvesting companies. The reason is simple. Again, the two scenarios above are mutually exclusive and one must be true. So what would you place the probability weighting as? I think most of everybody would agree that the probability of #2 is very near 100%. It's also possible that it is literally 100%, in that it has already happened but we don't know about it. Truly effective blackmail would obviously not be headline news.
"Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years"
Along the lines - Chris Christie was also very anti T before T got the nomination.
So by that logic JFK and MLK were also pretty low? Oh wait--I'm not sure they were doing actual porn stars.
People who want lots of sexual partners seek ways to get that. Many people are attracted to the powerful. So people who can't stand to keep it in their pants are more likely to seek positions of power.
Sexual aggression has been a virtue signal of male power and status since the days when kings compared the size of their slave harems. Modern men have been taught through all forms of commercial media that their value as people is directly proportional to the amount of casual sex they have. Culturally, power and sex have always been linked.
When Trump said he could just grab women by the pussy and get away with it, of course, he was right. At that level of privilege one often doesn't need to keep it in their pants. Propriety and chastity are for lesser men to whom legal and social consequences can be applied.
Maybe it's simply due to the existence of social media and an actual positive effect of "outrage culture" but a few decades ago such people would have been all but untouchable.
> "So does the scum," said Vimes automatically
-- Snuff by Terry Pratchett
Isn't that an informal assessment of American culture?
Weird sex stuff can certainly be used to affect people in powerful corporate positions.
The sheer volume of data and highly motivated state actors who are outside any legal risk both seem pretty high.
Imagine sending emails like that at scale in key voting districts. Sure it would get shut down. Substantial, irrevocable damage could still be done in the form of voter suppression.
You mean it would get shut down if done officially? Otherwise, I don't really see an option of shutting it down once the emails are underway. I doubt that providers will manually kill emails from their users' mailboxes, even if they were allowed to.
May I be allowed a different opinion?
The primary reasons people can be blackmailed seem to be because they've not been forthright, or, they themselves perceive it as wrong.
So yes I completely agree with you, once those 2 issues have been teased apart. The GP comment with "obviously corrupt and disgusting" was objectionable. TBF looking at other comments I see little or none of that.
For example, there was the comedic Ted Cruz twitter scandal in which his account liked a pornhub video featuring incest play. He claimed it was a staff mistake and moved on.
True, if a web cache (not under exclusive control of the company) can be queried for this data by a 3rd party, it sure is a big problem. But that is rather an operational fuck-up more than it is a fundamental design flaw.
How did these pen testers get access to server requests, inside the HTTPS traffic with 3fun's servers? I'm curious how they got access to this info. I'm also curious why nobody else appears to be asking that question. Did I read the article too quickly and miss something that explains how they did that?
The data they are examining was meant so the app knows how many people are "in your area" .. but instead of just giving you some vague information, it's giving you the exact coordinates of other users, and identifying info about them.
That's the whole point - it's not uncommon for (very) junior programmers to not understand the difference between client and server-side validation. This is absolutely a leak.
The easiest way would be to use a HTTPS debugging proxy like Charles.
But really, since the testers control the client device, they can do whatever they want.
The problem is that 3fun trusts the client to keep other users data private. This is pretty obviously a bad idea, since attackers can modify the client in pretty much any way they like.
I made the mistake of assuming that the web API would only give access to data related to a specific client device (thus only "leaking" info about that client).
If their web API gives access to info of other clients, that is indeed a serious design fuck-up.
edit: didn't notice the article does mention the problem was fixed before publishing, although they don't say how well it was fixed
And no, I am not going to end this with a paternalistic or moralistic statement.
This really doesn't seem like that big of a deal to me.
I'm surprised it hasn't been done before.
I don’t know if it’s because they’re less secure than their competitors or because they’re a bigger brand so their security is looked at more often. I suspect they have terrible security but are probably a lot more secure than their smaller competitors.
I suppose that could be the case, however I am fairly unconvinced that this has any real affect on the population in comparison to the cost of having a child coupled with the rise of understanding the costs involved with having a child.
Our Childless, Childish Culture
By MADELEINE KEARNS
August 8, 2019 3:34 PM
In the Western world and Asia, fertility is below replacement world, and in the Western world, the fraction of children born out of wedlock, who do worse than children of married couples by any measure, is rising. So I think working on something like eHarmony is much more moral than the app discussed in this thread.