Submitted by DC on Thu, 03/14/2019 - 21:44

There was an app available for those of us who don't hide being on team MAGA when we're in public but don't want a giant lugie in our spinach dip.  The idea makes sense, a Yelp for Trump supporters, where we can go to a place vetted as MAGA-friendly.

The creator, however, didn't implement basic authentication in the APIs the app used to communicate with the server, exposing private user data.  This is what we in the biz call a "no no".

Thankfully, a cybersecurity researcher took the time to expose this blatant negligence, warning others before they download the app.  The researcher gave the developer a good public spanking, and hopefully learned his lesson to not skip on basic security for future projects.

I thought that was it, but when I saw the developer's response, I felt the same way when someone on our side embarrasses us and had to give a response:

We take security very seriously,

This is completely false.  You didn't have basic authentication in your application.  Security was literally no concern of yours.  You even used plaintext passwords?  Wow.

and have already taken action to additionally protect our data.

There was no protection at all.  This would have been an accurate statement if you omitted the word "additionally".

The security of our users, and conservatives generally, is our primary concern,

"Conservatives generally"?  What does that mean?  Security should be sacrosanct for EVERY FUCKING USER, regardless if they're a conservative or two steps to the left of Marx.

and we will continue to improve our systems in any way possible to guarantee their safety.

Anything would have been an improvement.

Please note that the individual who noticed an issue

"An issue"?  You published an application with open access to private user information.

never gained access to any user’s passwords,

Incorrectly worded. The API responses just happened to not return passwords.  Email addresses, however, were exposed.

nor were they able to change or alter any data on our servers, nor were they able to log into our servers or access our databases directly. The small amount information in which they were able to access has now been additionally protected.

The small amount of information wasn't protected, period.  Again, "additionally" inaccurately modifies this statement.

As we have seen across the United States, conservatives particularly have come under attack for their political beliefs — verbally, physically, and electronically. This is unacceptable in a free society, and we will take every action to stop it, and assist our users in that as well.

This is where I really became irritated.  You weren't banned from a platform, and nobody punched you in the face.  You negligently published an application with no user authentication on your API, period.  You had a responsibility, as a developer, to protect user data and you made a decision to not do so.  Do not blame this on the left.

We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attack, and will be reporting it to the FBI later today.

He did nothing illegal, and he did not fail.  You know this.  He used your PUBLIC APIs that YOU made available.  I hope the FBI laughs in your face, which they likely will.

We hope that, just as in the case of many other politically-motivated internet attacks,

He did nothing wrong, and this wasn't an attack.  I could care less what his politics are.  He did your users a favor, and did me personally a favor because I was looking at downloading this app when I had some time.

this perpetrator will be brought to justice,

Again, he did nothing illegal, and you know it.  He legally did everyone a favor.

and we will pursue this matter, and all other attacks, failed or otherwise,

This wasn't an attack, and he didn't fail.

to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.

The only crime is you not caring for your users.  Shame on you.

The users of 63red are safe, and it is our mission to guarantee their safety. We are steadfast in that mission.

Yes, thanks to the professional who alerted the rest of us to not download your app.  Hopefully your users changed their email address, as that's a piece of user data exposed.

This guy may be a talented programmer, and what he did was, how should I say, "grossly negligent", but blaming others for his crappy code and trying to garner sympathy from conservatives is unforgivable.

I'll tell him the same thing told to laid-off digital media writers: learn to code.

News Items