5 comments

[ 1.4 ms ] story [ 19.1 ms ] thread
The title is a bit misleading. I don't see any evidence of a hack. Just because a vulnerability was discovered doesn't mean it was used to compromise accounts. It is possible, but it was always possible with or without this vulnerability being disclosed now. If it did occur, this may not have even been the method used.
I work at Ning. I can confirm this hole was recently patched.
In fact, one of referenced articles [0] states the students disclosed the hack to Ning in March. It's not clear when the hole was patched, but I have a hard time believing it has been nearly a month between the hack being demonstrated to Ning and Ning releasing a solution. Furthermore, it appears the Dutch news sites and TNW's translation are only reporting on the issue because the students are comfortable in now releasing this information, only after Ning has patched the vulnerability, BEFORE millions of accounts could be compromised. In this regard, I don't understand TNW's tone nor this post's title.

Of course, Ning should certainly come forward with their findings and what diligence was made.

[0] http://webwereld.nl/nieuws/110261/ning-lekt-accounts-100-mil...

It got ignored for a year. That's an argument for Full Disclosure, at least to me.