Step 6 happened because the CEO in his hubris, decided it would be in his best interests to threaten someone instead of being greatful.
Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.
You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.
I'm wondering how it's possible that step 6 happened, not what the motivations are. It's written in multiple places as if database queries were issued after the database was taken down.
I think the data he discloses in the post is the one that he got before getting in contact with the company. He does this in order to prove that the database was accesible to anyone on the internet, instead of the "no breach at all" claimed on the response email.
He writes as if he has access to large quantities of data after the CEO responded to him, which implies that it was after the exposed database was fixed, as the author acknowledges in the email he sent to the CEO.
No I did not query the database after it was exposed.
The information I had was from when the database was publicly exposed.
I don't want to be too specific about the links for the files as I don't know if others accessed this information and could exploit it but they had the website path to download the files exposed on the database, you just needed to know what to add to it, I tried a few things from the information I had and found out they worked.
I would of probably skipped over this, but after their response I wondered if there was more to it.
The files were not stored on the database, they were on a cloud storage but that link made it so no authentication was required to access them (not an expert but would say some hard coded access keys or something similar).
To which the CEO was rude and dismissive and threatening. Which is often a sign of having something to hide. I assume the author decided to then verify if the threats were made from a position of strength or weakness.
I read his email as a polite gesture, giving them a chance to request more time. I'm still confused as to what parts you're missing. Are you trying to imply something, or do you really not understand that people can lie and withhold information?
> The email was read by someone, I assume the CEO, and less than an hour after it was sent, I could not connect to the exposed server anymore.
This was after the author’s first email, and before the CEOs reply.
What tptacek was getting at is that the article is a bit unclear on when the review of DB contents occurred, since the author no longer had access. (But I think it’s just because the author reviewed the contents already before they reported the issue.)
1. He discovers an unprotected database.
2. He mails the CEO of the company.
3. The database is fixed.
4. He mails the CEO again to say he's publishing.
5. The CEO replies and says there was no security breach.
6. He goes spelunking in the database tables to write a rebuttal?
How does step 6 happen? What has this person exfiltrated from the database, in advance of losing access to it in step 3?