“The online dating site PlentyofFish was hacked, and purportedly 30 million customer records were stolen. The site’s founder, Markus Frind, is blaming the security researcher who discovered the vulnerability and the journalist who confirmed the issue.”
The researcher who reported the vulnerability is Chris Russo, one of the guys who hacked The Pirate Bay last year. He explained his side of the story as well. Mr. Frind says he tracked down Russo’s Facebook page and emailed his mom.
Whaaaaa. How does hacking two sites and leaking millions of users’ private data make you a ‘security researcher’? It makes you a hacker/criminal. There’s such a thing as responsible disclosure of vulnerabilities, which does not include leaking everything you can get your hands on. And even if he was ‘just a reseacher’ with honest intent, it’s still highly frowned upon (and illegal in many places) to start trying to find vulnerabilities in other people’s systems without permission, especially if it’s done, as Russo seems to have, to say “I found this vulnerability, I’ll fix it for you for $$$$$”, because that sounds an awful lot like extortion. Imagine if you found a locksmith at your door one day and he said “oh hello there, I’m a security researcher, I was researching whether your locks are safe. Turns out they’re not, I’ll fix them for $$. Let’s hope nobody else finds out they’re insecure. *Nudge nudge wink wink*”. And indeed somehow everyone now knows that POF is insecure! Now maybe Russo thinks he’s in the right to disclose vulnerabilities without giving the owner a reasonable chance to fix them, but it sounds like he went public on the basis that Frind didn’t offer him a job.
Markus Frind, however, sounds like an incompetent tool who should not be running a website which stores private data. He has a blog here which is an entertaining read. It’s not quite Wodehouse, but one can derive entertainment from sources other than the prose. According to people who use the site, the site emails you every week with your password in the email. This should be on thedailywtf [a site that posts code examples that make you go ‘WTF?’], it’s a total failure on two accounts: first they’re STORING the password in such a way it can be viewed; this is an elementary error: you cannot make this mistake if you have anything which one day might turn into a clue. Secondly, emailing people their (non-transient) passwords is just stupid; emails are usually transmitted with no security/encryption. Furthermore there’s a good chance that if an eavesdropper intercepts a password sent to an email address, that that password will let them into that email account. Yes the user shouldn’t reuse their email password on insecure sites but it’s hugely impolite to pretend that they know that.