this post was submitted on 21 Feb 2026
101 points (99.0% liked)

Technology

81611 readers
4591 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
101
I found a Vulnerability. They found a Lawyer. (dixken.de)
submitted 4 hours ago* (last edited 3 hours ago) by Beep@lemmus.org to c/technology@lemmy.world
4 comments fedilink hide all child comments
 

Lobsters.

While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I'm personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn't believe it hadn't been exploited already.

I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.

This is the story of what happened when I tried to do the right thing.

you are viewing a single comment's thread
view the rest of the comments
[–] Arghblarg@lemmy.ca 41 points 3 hours ago

I had a similar experience many, many years ago -- before the rules for vuln embargoes were formalized; and I wasn't even a security researcher. I was just a techie who discovered that the broker's staff were resetting anyone's forgotten password to the same temporary word. And like in this article, they had no mechanism to force users to reset the temp password on next login to something unique. I'd asked to have my password reset at some point, having forgotten it, and upon logging in with my user ID accidentally swapping two digits, found myself in someone else's brokerage account, with substantial funds staring me in the face! And, their email and personal details.

I disclosed the issue to the broker, but out of paranoia, did it through a throwaway email account, from home, not work (I should've used a VPN, but back then I wasn't as aware of such things). From that throwaway email, I also notified the person whose account I'd accidentally logged into, urging them to check their account and contact the broker to ensure no one else might have gotten into their account.

A day or so later, I got a call at my work phone from someone at said broker, asking if I had seen any unusual activity on my account, and that they had seen some suspicious activity from our company's network (remember, the accidental login to the other person's brokerage account occurred at my work PC)... I suspect they were fishing for info pointing to my being the one who accidentally accessed someone else's account. I played dumb, as the call did NOT have good vibes; I could sense they were looking for a 'hacker' to scapegoat, not calling just to inform people there was a problem.

Thank heavens I didn't reveal that I knew anything about the vulnerability... I had just reset my password, nope nothing unusual here, nosirree... but within a day or two their password reset procedure had been changed for the better and emails were sent out stating that a 'security incident' had occurred.

Lesson: Do NOT trust that your security report will be taken as being helpful. Most companies will try to throw you under the bus if they can, to save face.