Stumbled across a huge security hole on a media website.

[Elwood P. Dowd]

And I've been happily downloading media that's typically kind of a hemorrhoid to get your hands on, at least in my experience, when sailing the high seas. My sense is to keep this to myself, but is there any point to going public with it? It isn't even me doing anything but using the site as it is intended, Well, until I start copying files to the ol' External HD. Said files are also unprotected and in an immediately accessible, common format.

Don't wanna be more specific, at least for the present, since I think this hole would be trivial to fix. There's some limitations on it, some items I wish were available but aren't, but when it works it works perfectly. It is so obvious I'm honestly shocked I've never seen it mentioned elsewhere. What's bizarre is that the site's security is typically pretty good, certainly more than I can figure out in the usual scheme of things.

Yes, I'm a faggot, and yes this may be the equivalent to "Tits or GTFO" moment. I get all that. Just curious what others would do in my shoes. Wanted to do a poll, but I guess polling is disabled on the autistic part of the site.

 

[Penis Drager]

The site in question almost certainly has some form of "contact us" page linked at the bottom of the page. Send them an email regarding the security flaw with screenshots of examples and explain how this could be exploited by a nefarious actor.
Be brief and frank about the problem and they will most likely fix it before coming public themselves about the issue and any action that should be taken by users of the site prior to the fix.

 

[A-Stump]

'media that's typically kind of a hemorrhoid to get your hands on'

Enjoy being v&

 

[DJ Grelle]

Download it all first on a hard drive and only then report the vulnerability.

 

[Fred Fuckstone]

Lemme guess, porn?

 

[Blasterisk]

Report it when you're done, I'm sure the unpaid intern running the place will appreciate it.

 

[Lifeguard Hermit]

One of the cartoon/anime sites had their players unlocked for like 2 months, you could just right click and download, wcostream.

 

[Liber Pater]

@Elwood P. Dowd What kind of "media" are we talking about and is it something I would want on my hard drive? I don't think employees of media companies are going to be bug-hunting on the KF Q&A board (especially if they're as lazy about infosec as you make them sound), so I think you'd be alright mentioning the name of the site here without tipping them off about the bug. Especially if you were going to eventually report it anyway.

 

[Tookie]

The site in question almost certainly has some form of "contact us" page linked at the bottom of the page. Send them an email regarding the security flaw with screenshots of examples and explain how this could be exploited by a nefarious actor.
Be brief and frank about the problem and they will most likely fix it before coming public themselves about the issue and any action that should be taken by users of the site prior to the fix.

This, but also shake them down for a bug bounty before you explain exactly how you did it.

 

[Zero Day Defense]

'media that's typically kind of a hemorrhoid to get your hands on'

Enjoy being v&

I don't think the FBI is going to be activated by someone downloading goblin tomboy yandere NTR hentai.

 

[FujiWuji]

I would alert them about it anonymously, if at all. Hopefully, you downloaded all the stuff over a VPN at least. Not all companies will look kindly upon you exploiting their site and alerting them about it after you looted the place. I'm probably overthinking things, but if you aren't a hired white-hat then they might think of you as a hacker instead of a concerned citizen.

 

[IAmNotAlpharius]

I would alert them about it anonymously, if at all. Hopefully, you downloaded all the stuff over a VPN at least. Not all companies will look kindly upon you exploiting their site and alerting them about it after you looted the place. I'm probably overthinking things, but if you aren't a hired white-hat then they might think of you as a hacker instead of a concerned citizen.

Yeah they could assume you’re threatening them, even if you are being sincere.

 

[seri0us]

I would alert them about it anonymously, if at all. Hopefully, you downloaded all the stuff over a VPN at least. Not all companies will look kindly upon you exploiting their site and alerting them about it after you looted the place. I'm probably overthinking things, but if you aren't a hired white-hat then they might think of you as a hacker instead of a concerned citizen.

What the fuck are those dumbasses gonna do?

 

[nah]

My opinions are: don't expect something to not be freely copied if you put it on a computer, and don't expect something to stay hidden if you put that computer online.

So no, don't report it. Especially if it's because of JavaScript.

 

[seri0us]

My opinions are: don't expect something to not be freely copied if you put it on a computer, and don't expect something to stay hidden if you put that computer online.

So no, don't report it. Especially if it's because of JavaScript.

I always act as if my system is compromised

 

[Thomas Highway]

Honeypot thread.