Update:
I misunderstood, I'm sorry. I wasn't trying to attack but trying to show my concern because I thought he saved some id/keys for himself. Please ignore my comment below.
--
"Still managed to get a few dozen AWS keys though"
Good for you! What a nice person you are. Please abuse more small projects like this. Even if they say they say it was "was only meant for friends to test out".
Oh I see, you just found a security hole and trying to get some reputation? Cute. Please do it by abusing the small power you found and hurting innocent users. That's really, really nice of you.
"Still managed to get a few dozen AWS keys though"
Wow. Just wow.
You sir, just ruined my night. Thank you.
Ps. I am really concerned about your company and its users. If you can do something like this, I wonder what else you could do (or doing) at your current company. I hope, I'm assuming wrong.
Perhaps you're misunderstanding my course of action.
1. I didn't disclose how to do it, merely that it was possible.
2. By "get" I in no way mean harvested. I just manually incremented the ID in the URL by hand in my web browser to see how many users could be affected.
3. Since I never saved any of the information (just viewed the pages) I no longer have it since the flaw was patched.
It's massively important that people bring security issues into the open. Talking about these things creates pressure on developers to build secure web apps. Not talking about them because people like you get 'upset' about "hurting 2 nerds' inspiration" means we get poor information security policies all over the Internet.
As it stands we don't know whether hostile agents (silently) got copies of the AWS keys of every user on the site. That should be incredibly concerning for you, but apparently it's not.
Thank you, yes I'm aware of these. I was trying to focus on the fact that the person who found this security hole used it to get some of this data to himself. But apparently I wasn't clear enough.
I'm still trying to improve my English. Next time I'll try to be more clear. Thank you.
I'm sorry man, but this kind of mistake is unacceptable even for a prototype. This is basic authentication and access control stuff. You'd at least expect this to be implemented if you're giving them your email, needless to say amazon token.
The problem with this is that people become more skeptical in general about new products/companies, which is bad for the community as a whole.
The issue here is how do you deal with this kind of thing? Assuming it is in fact bad for others who are trying to get people to test their prototypes, how do we help avoid basic pitfalls like this one? This could be a service...
Why are you upset with him, at least he informed people. You should be more upset with an insecure app. A less talkative person would just keep it and use the AWS accounts for bitmining.
You can find a security hole and report it. That's nice and good behavior. But when you say "I have compromised the data with me", then you are being evil.
I signed up to the app because I liked the idea and wanted to support them. I knew that their app was in alpha stage yet.
I'm upset about his behavior.
I'm upset that his behavior might hurt 2 nerds' inspiration.
I'm not upset about he got my keys.
But you are right. His behavior is still better than not saying anything.
If anything, he did you a favor. You're probably going to create new keys now, whereas you might have written it off as a hypothetical vulnerability otherwise.
--
"Still managed to get a few dozen AWS keys though"
Good for you! What a nice person you are. Please abuse more small projects like this. Even if they say they say it was "was only meant for friends to test out".
Oh I see, you just found a security hole and trying to get some reputation? Cute. Please do it by abusing the small power you found and hurting innocent users. That's really, really nice of you.
"Still managed to get a few dozen AWS keys though"
Wow. Just wow.
You sir, just ruined my night. Thank you.
Ps. I am really concerned about your company and its users. If you can do something like this, I wonder what else you could do (or doing) at your current company. I hope, I'm assuming wrong.
edit: "the" » "your". last paragraph.