this post was submitted on 21 Feb 2026
302 points (98.7% liked)

Technology

81907 readers
5040 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
302
I found a Vulnerability. They found a Lawyer. (dixken.de)
submitted 5 days ago* (last edited 5 days ago) by Beep@lemmus.org to c/technology@lemmy.world
14 comments fedilink hide all child comments
 

Lobsters.

While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I'm personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn't believe it hadn't been exploited already.

I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.

This is the story of what happened when I tried to do the right thing.

top 14 comments
sorted by: hot top controversial new old
[–] Arghblarg@lemmy.ca 136 points 5 days ago (2 children)

I had a similar experience many, many years ago -- before the rules for vuln embargoes were formalized; and I wasn't even a security researcher. I was just a techie who discovered that the broker's staff were resetting anyone's forgotten password to the same temporary word. And like in this article, they had no mechanism to force users to reset the temp password on next login to something unique. I'd asked to have my password reset at some point, having forgotten it, and upon logging in with my user ID accidentally swapping two digits, found myself in someone else's brokerage account, with substantial funds staring me in the face! And, their email and personal details.

I disclosed the issue to the broker, but out of paranoia, did it through a throwaway email account, from home, not work (I should've used a VPN, but back then I wasn't as aware of such things). From that throwaway email, I also notified the person whose account I'd accidentally logged into, urging them to check their account and contact the broker to ensure no one else might have gotten into their account.

A day or so later, I got a call at my work phone from someone at said broker, asking if I had seen any unusual activity on my account, and that they had seen some suspicious activity from our company's network (remember, the accidental login to the other person's brokerage account occurred at my work PC)... I suspect they were fishing for info pointing to my being the one who accidentally accessed someone else's account. I played dumb, as the call did NOT have good vibes; I could sense they were looking for a 'hacker' to scapegoat, not calling just to inform people there was a problem.

Thank heavens I didn't reveal that I knew anything about the vulnerability... I had just reset my password, nope nothing unusual here, nosirree... but within a day or two their password reset procedure had been changed for the better and emails were sent out stating that a 'security incident' had occurred.

Lesson: Do NOT trust that your security report will be taken as being helpful. Most companies will try to throw you under the bus if they can, to save face.

[–] hector@lemmy.today 25 points 5 days ago (1 children)

The influential people in society have demonstrated and set the examples for everyone to never admit a mistake, and if you cheat or hurt someone, to blame them, and to assassinate their character. Lie, trash their character, accuse them of cheating you, etc.

It works too, people trust the more successful party. If you are some lower wage client of a company, and they are a successful internet company, people will give that company the benefit of the doubt. They will believe the rich guy that cheated you in his slander to make you the bully.

[–] Maeve@kbin.earth 7 points 5 days ago

Tbf, that's most business asset security SOP.

[–] Tim_Bisley@piefed.social 8 points 5 days ago (1 children)

That's a crazy story. Glad you didn't get caught up in their incompetence. Do you still do business with them?

[–] Arghblarg@lemmy.ca 2 points 4 days ago

Nah, once I moved jobs and started holding nontrivial amounts of retirement and TFSA stocks I opened accounts with a new broker.

[–] W3dd1e@lemmy.zip 52 points 5 days ago (1 children)

I reported a vulnerability at work when I found out I could make transactions on our system look like someone else made them.

No reply for 6 months, then, when I was in a new department they asked if it was still a problem. I told them I do not think it was fixed but I don’t work there anymore so they closed out the ticket.

🙃

[–] notgold@aussie.zone 4 points 4 days ago

No problems if you don't look.

[–] testaccount372920@piefed.zip 62 points 5 days ago (1 children)

Apparently the threats are still sufficiently strong that the author dares not mention the company's name :/

[–] JoeBigelow@lemmy.ca 11 points 5 days ago

I mean it's obviously DAN isn't it? Who else insures divers?

[–] Deebster@infosec.pub 38 points 5 days ago* (last edited 4 days ago) (1 children)

Disgraceful, old-fashioned actions from the unnamed diving ~~certifiers~~ insurer - and, as the major diving insurance company (based in Malta) is DAN World Insurance Group SP, it's clear that DAN puts their reputation above child safety.

(edited out misdirected finger pointing)

I would add that I'm not sure 30 days is "generous" given that 90 days is somewhat standard, but given that it took only two days for a lawyer's threats to arrive that's not too relevant.

[–] Leeks@lemmy.world 19 points 5 days ago* (last edited 5 days ago) (1 children)

It is a “Diving insurer” not a “diving certifier”. This is likely DAN, since he is a PADI instructor and PADI pushes DAN.

[–] Deebster@infosec.pub 10 points 5 days ago* (last edited 5 days ago)

You're absolutely right, I'll edit my comment. Thanks for the catch.

[–] brsrklf@jlai.lu 13 points 5 days ago

How the hell can a lawyer seriously argue that you were wrong to report to the relevant authorities? That's not their call.

[–] kamikazerusher@lemmy.world 12 points 5 days ago

Similar experience here. Some companies just want to pin a scapegoat should they be held liable. Others are just assholes from top to bottom.

You did your due diligence. You almost got burned. Decide for yourself if it’s worth it next time. Not every act in good faith receives a good response.