zlacker

[return to "Hack Club: A story in three acts (a.k.a., the shit sandwich)"]
1. jstumm+S9[view] [source] 2025-11-13 12:48:53
>>alexkr+(OP)
> so in july 2025, i discovered that neighbourhood was exposing thousands of users' full legal names through an unprotected API endpoint. literally anyone with a slack ID could access this data. no authentication, no nothing. just a URL parameter and boom, there's your real name.

> i sent formal breach notifications to security@hackclub.com and gdpr@hackclub.com on july 9th. radio silence. nothing. not even an automated "we've received your email" response.

> when i tried talking to HQ staff informally, the responses were... well, shocking doesn't quite cover it. the first intern told me that since hack club is US-based, they're "not held to GDPR," that if fined "nothing compels us to pay it," and that EU people "void your EU protections" by coming to the US.

What? How did we get from (allegedly) informing them about a security vulnerability to them responding "nothing compels us to pay it"? It feel like the author is not being quite as candid in their account of the events as one would hope.

◧◩
2. xx_ns+wz[view] [source] 2025-11-13 15:16:54
>>jstumm+S9
Their other blog post[1] shares some more information which seems like it's relevant.

From the post:

> then i found this one:

> https://juice.hackclub.com/api/get-roommate-data?email=dont@...

> yep. no auth. just an email parameter. and what did it return?

> full names. emails. phone numbers. flight receipts. all just by passing an email address in a URL.

> i reported it through their security bounty program, made a bug fix pr (because apparently that's how you get things done around here), and maybe made the slight mistake of sharing the vulnerable endpoint in that group chat - which less than 10 people saw, for what that's worth.

The author then proceeds:

> their security bounty program states minimum payouts for this kind of thing start around $150. but exposing passport numbers (which are classed as government documents) should bump it up significantly. apparently "responsible disclosure" means "don't tell anyone, even in a private chat" so they docked the entire payout.

I'm not sure why they're being seemingly sarcastic about responsible disclosure. Yes, responsible disclosure absolutely means that you disclose this to the vendor before disclosing it to anyone else. As someone who works as a penetration tester and security researcher (both at work and in my free time), in my opinion, there should be no confusion about what responsible disclosure is. You disclosing the vulnerability in public before the vendor has had the chance to fix or apparently even triage it is not "responsible disclosure" or a "slight mistake".

[1] - https://kys.llc/blog/oops-leaked-your-passport

[go to top]