Stumbled across a huge security hole on a media website.

Elwood P. Dowd

kiwifarms.net
Joined
Nov 15, 2016
And I've been happily downloading media that's typically kind of a hemorrhoid to get your hands on, at least in my experience, when sailing the high seas. My sense is to keep this to myself, but is there any point to going public with it? It isn't even me doing anything but using the site as it is intended, Well, until I start copying files to the ol' External HD. Said files are also unprotected and in an immediately accessible, common format.

Don't wanna be more specific, at least for the present, since I think this hole would be trivial to fix. There's some limitations on it, some items I wish were available but aren't, but when it works it works perfectly. It is so obvious I'm honestly shocked I've never seen it mentioned elsewhere. What's bizarre is that the site's security is typically pretty good, certainly more than I can figure out in the usual scheme of things.

Yes, I'm a faggot, and yes this may be the equivalent to "Tits or GTFO" moment. I get all that. Just curious what others would do in my shoes. Wanted to do a poll, but I guess polling is disabled on the autistic part of the site.
 

Penis Drager

My memes are ironic; my depression is chronic
kiwifarms.net
Joined
Aug 8, 2020
The site in question almost certainly has some form of "contact us" page linked at the bottom of the page. Send them an email regarding the security flaw with screenshots of examples and explain how this could be exploited by a nefarious actor.
Be brief and frank about the problem and they will most likely fix it before coming public themselves about the issue and any action that should be taken by users of the site prior to the fix.
 

Liber Pater

Huwhyte Christmas
kiwifarms.net
Joined
May 10, 2019
@Elwood P. Dowd What kind of "media" are we talking about and is it something I would want on my hard drive? I don't think employees of media companies are going to be bug-hunting on the KF Q&A board (especially if they're as lazy about infosec as you make them sound), so I think you'd be alright mentioning the name of the site here without tipping them off about the bug. Especially if you were going to eventually report it anyway.
 

Tookie

Mountain of Molten Lust
True & Honest Fan
kiwifarms.net
Joined
Oct 10, 2014
The site in question almost certainly has some form of "contact us" page linked at the bottom of the page. Send them an email regarding the security flaw with screenshots of examples and explain how this could be exploited by a nefarious actor.
Be brief and frank about the problem and they will most likely fix it before coming public themselves about the issue and any action that should be taken by users of the site prior to the fix.
This, but also shake them down for a bug bounty before you explain exactly how you did it.
 

FujiWuji

kiwifarms.net
Joined
Jun 27, 2021
I would alert them about it anonymously, if at all. Hopefully, you downloaded all the stuff over a VPN at least. Not all companies will look kindly upon you exploiting their site and alerting them about it after you looted the place. I'm probably overthinking things, but if you aren't a hired white-hat then they might think of you as a hacker instead of a concerned citizen.
 

IAmNotAlpharius

Nothing to see here. Move along citizen.
True & Honest Fan
kiwifarms.net
Joined
Mar 19, 2018
I would alert them about it anonymously, if at all. Hopefully, you downloaded all the stuff over a VPN at least. Not all companies will look kindly upon you exploiting their site and alerting them about it after you looted the place. I'm probably overthinking things, but if you aren't a hired white-hat then they might think of you as a hacker instead of a concerned citizen.
Yeah they could assume you’re threatening them, even if you are being sincere.
 

serious n00b

Autism talks: Everything else walks
kiwifarms.net
Joined
Dec 7, 2020
I would alert them about it anonymously, if at all. Hopefully, you downloaded all the stuff over a VPN at least. Not all companies will look kindly upon you exploiting their site and alerting them about it after you looted the place. I'm probably overthinking things, but if you aren't a hired white-hat then they might think of you as a hacker instead of a concerned citizen.
What the fuck are those dumbasses gonna do?
 

nah

I haven't been thinking at all!
kiwifarms.net
Joined
Sep 9, 2021
My opinions are: don't expect something to not be freely copied if you put it on a computer, and don't expect something to stay hidden if you put that computer online.

So no, don't report it. Especially if it's because of JavaScript.
 

serious n00b

Autism talks: Everything else walks
kiwifarms.net
Joined
Dec 7, 2020
My opinions are: don't expect something to not be freely copied if you put it on a computer, and don't expect something to stay hidden if you put that computer online.

So no, don't report it. Especially if it's because of JavaScript.
I always act as if my system is compromised
 
  • Agree
Reactions: nah