Oof, that's bad behavior. I wouldn't be proudly blogging about this.
On the other hand if he had stopped at this point, the company would have no idea about the weak admin credentials that could lead to real data breach and internal compromise at a later date.
If this were someone employed under me as a security professional they would be fired for negligence.
I see HN as a place for collective learning. I don’t see what we can learn from this post.
As his bio states, he's a software engineer - clearly not a security professional, because he's steamrolling right through all infosec ethics.
A quick Google search for his username yields his GitHub with his real name, and he has a LinkedIn. He graduated from the same university as me.
Blackhat is not a good hobby, especially not with no opsec.
Putting your ident in the clear (or at least trivially bound to a real ID) is not better than having shitty security defaults.
> The eighth-largest retailer in the United States, it is a component of the S&P 500 Index. [...] As of 2019, Target operated 1,844 stores throughout the United States.
https://hackernoon.com/timing-based-blind-sql-attacks-bd276d...
Timing attacks let you get a boolean true or false answer from an injected query and, I think, guess secrets: any correct guess will give a delayed response, and a false wlil return immediately.
Ding, Ding, Ding! I think we have a winner for the fastest way to the unemployment line.
The employer should be performing proper audits and password rotations and/or educating their employees. It should never be "stupid users", but "stupid me".
I'm not saying that's good, but I could definitely see it happening.
Sorry but no. No.
I want to clarify that the post/report has been agreed with the consultancy. Some of you would consider this as bad behavior from my side, and I'm sorry to hear that. What would you do if you ever find something like this? All this has been reported, and it’s being fixed. DISCLOSURE accepted, and that’s why the post/report won’t contain names ever. IMHO bad behavior is having all this information available "open to the Internet.", waiting for someone else to come with really unethical purposes. If you ever find a vulnerability and keep quiet about it, I don’t think that makes you any more ethical.
Regards,
edbrsk
As an aside, your writing style comes off as arrogant and childish. Proper disclosures don't read like Hackers fanfic.
I don't see where I'm being arrogant in the post, and actually, you are right, it's not a "professional" report, it's just the summary about how "easy" some data can be stolen, and what people with really bad porpoises could do with a little bit of luck (The "big" problem it's just weak credentials in the end). It's a blog post, not the report itself.
About clarifying the measures and the communication with the company, this is something that it's not related to the idea of the post, and no one else's business.
Someone else's published my post here in HN, and I saw some "overreacted concerns", my idea was just to say: "They know, it's safe, I'll help to fix things, don't worry. Take care of your creds, that's all". Also, thank you for the tip, I'm about to get the OSCP soon, I'll take into account your advice.
Regards,
edbrsk
But, the cyber security professionals working in the consultancy firm can gather easily the small pieces of information left behind and sue him if they find out data extraction, for example.
Keep in mind that he claims he extracted sensitive data, but he could be lying just to be in the HN front page. Who knows.
Unethical, risky… and very stupid.
With the "Usuarios" term it wouldn't be too bad, Latin/Greek technical terms mostly are the same in most English and Romance countries.
But, please, never give location info to anyone, FFS.
Where are they supposed to get this information if they're never taught it?
> at what point would they be so blind as to not know / have read about hacks of others and/or the existance of haveibeenpwned and seen the error of their ways?
Most people outside the tech departments have no idea what those things are. They think hacking is stuff that happens in movies, not in real life.
Sorry, but yes yes.
If you don't do this, the customer DPO might stop the project anytime, or you would have to undo all the reso it again untilt the DPO approves it.