Ask HN: Reporting major security/privacy flaw etiquette?

2 points by scottmf ↗ HN
There's a popular website which I'm sure a lot of people here will have used. It sells products. When you checkout as a guest you must give an email address to associate your purchases with.

If you later sign up, your purchase history associated with your email address can be accessed in your account (helpful!).

And when you sign up, you don't need to verify your email address right away (also helpful!). You're automatically logged in.

As a result, you can sign up with anybody's email address and view the entire purchase history associated with that email address. You can even use their unused products, initiate refunds, etc.

I contacted the company directly and spoke to someone (although it took a couple of hours to get their attention). I also happen to know someone who works for the company and let them know. They spoke to the dev/security team.

It's been about 24 hours since I reported the flaw to both, and the flaw is still there. I worry they may not be taking it very seriously since it stems from intended behavior. Perhaps they don't understand the security and privacy implications?

This is a large company with tens of million of monthly customers.

How would you deal with this situation?

And how long is too long for this flaw to remain unpatched? I've only worked in small companies where this would be fixed in seconds, and I understand they may have more complex protocols for pushing changes to the live site, but it seems disproportionately slow.

0 comments

[ 1.6 ms ] story [ 8.0 ms ] thread

No comments yet.