“Found vulnerability, getting ignored. Next steps? I have been sitting on this security vulnerability since early 2020, I accidentally discovered it whilst working on another unrelated project and just happened to browse upon the page with dev tools open.”
He also added that the organization puts in danger around 100,000 booking records of users of gig-economy airbnb-type business. After receiving a copy of the data with potential repair procedures and being notified of the concerns, the company has so far not taken any action to address them.
Hacker`s Intentions Towards Vulnerability
The hacker stated that he has made attempts to report this to his nation’s official cyber security authority, but he is still waiting for a response from them months later. He got in touch with the creators and started a back-and-forth email conversation where he was able to spill all the knowledge he had about their website’s vulnerabilities.
They promised to have their development team located in the Philippines to fix the problem by the end of 2020, but when he checked the same vulnerability a few months later, they had still not done so. He also contacted the creators once more, this time providing an obscured version of the data, but received no response.
Hacker Can’t Decide Whether to Leak 100,000 Records
A concerned individual seems unsure of what to do next – “Should I follow up again, and if nothing is done go public?” – he added at the end of his Reddit post. The responses from users were very different, some voted towards leaking the vulnerable data, while others shared concern about the legal side of publication of private information:
“Be really careful with that. If it’s really a huge thing you could get in really serious trouble if you just publish it. Try to reach them a few more times with the clear statement, that you have to inform the public if they do not respond. And don’t do it on Twitter. Contact some journalist (maybe someone you know or a friend from a friend) and talk to them. Just publishing it could be illegal.” – wrote one of the Reddit users under the OP`s post.
Some users also voted against leaking the data claiming that innocent people don’t deserve being put at even more risk: “Please don’t disclose it publicly. These things always harm people at the bottom. Not going to hurt the upper mgmt at all. If the data contains the customer/client contact email/phone. You could do a mass notification directly to them. It is their info being openly shared. I’m sure they have more legal options.”