When I was still in university I reported a vulnerability and when the company started threatening me with legal action, my professor wrote a strongly worded email and they dropped it. Haven't had it since in 8 years. Feels like many companies understand what we do now, atleast compared to 10 years ago.

Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.

The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin, is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.

Don't get too excited. They never said what kind of hash. Given the rest of the site's security design, might have easily been unsalted md5

There's probably another rockyou out there waiting to happen

if you look at his other posts, it looks like they collaborate often.

From the post:

"Having been able to attend these events by hoarding airline miles and schmoozing certain cybersecurity vendors, Gal Nagli, Sam Curry, and I thought it would be fun to try and hack some of the different supporting websites for the Formula 1 events."

wait until you see the party footage

i respectfully disagree with this sentiment. i think that in general, reinventing the wheel can be a great learning opportunity in understanding how the wheel works.

> Just use a framework to build your site. Don’t reinvent the wheel!

How do you arrive at that conclusion after reading an article on how an API had a broken access control vulnerability?

What hash do you use?

It's an F1 racing site, their job is literally to move fast and break things. https://xkcd.com/1428/

Ian is a great writer