Ask HN: What to do when discovering a vulnerability?

1 points by carvin ↗ HN
Hi HN,

My wife just realized she's been victim of identity theft (bank account opened at her name, address, even her SIN) and when she thought about the last place where she entered these information, she remembered a portal for city services where she recently created a profile. I looked at the network activity on Chrome dev tools, found the profile page HTTP request, and played it with another ID. You can probably guess what happened next: I was able to access other people's profiles. This website is a portal for around 300 towns, and I estimate there are about 150,000 users with all their confidential information: name, address, phone, email, DoB AND, most importantly, SIN.

Question: I took 3 screenshots (personal data has been removed), what should I now do? Alert the company discreetly? Alert the city that we used this platform for? Police? Media? Should I go anonymous?

Bonus, In order to fetch my screenshots, I worked on my computer, I basically created a fake account (you have to have an active session to get the data), and the website does not even do email profile activation.

0 comments

[ 3.0 ms ] story [ 15.0 ms ] thread

No comments yet.