ADD Posted January 16, 2014 Share Posted January 16, 2014 Hi all, I've found a quite bad security leak exposing a bunch of customer data in an app created by a small startup. Its a really obvious hole. I simply made 2 accounts, and logged in with one, went to the edit page of my account containing my info (email etc.), then changed the ID in the get request to the other account's ID. Its scary how easy this was. I never looked at other customers data. The get url's just seemed so insecure that I had to try if this would work. Anyway, I really want to make the issue clear to the company so they can fix it. However, I'm worried they might nog take this so well. I'm affraid they will take more notice to the, 'I can view all your customers data' part of my story than the 'and I'm here to help' part. Of course I could leave a nice note in their contanct form without an email address and hope they don't keep any access logs (wouldn't be supprising at this point). But that just doesn't seem right. Does anyone have any advice on how to go about this? Any experiences in this area maybe? Should I be worried at all about legal troubles? Thanks! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.