Yeah, Firebase makes this much more of a gray area than a SQL database would, where you'd know instantly as soon as you issued an INSERT or an UPDATE that you were doing something unauthorized. The writeup is solid, you seem like you took most of the normal precautions a professional team would. The story has the right ending!
Did you check with the target before you "checked whether we could set `isAdmin` to `true` on our existing accounts?"
If you did not get consent from a subject, you are not a researcher. If you see a door and check to see if it is unlocked without its owner authorizing you to do so, you are on the ethical side of burglary even if you didn't burgle.
Helpfully the "technical writeup" post links to "industry best practices" [0] which include:
If you are carrying out testing under a bug bounty or similar program, the organisation may have established safe harbor policies, that allow you to legally carry out testing, as long as you stay within the scope and rules of their program. Make sure that you read the scope carefully - stepping outside of the scope and rules may be a criminal offence.
The ethically poor behavior of Fizz doesn't mitigate your own.
I disagree with this take. There are certainly lines of what is and is not ethical behaviour (where they are is highly debatable), but the vendor doesn't have a monopoly on deciding that.
Yes i disagree. You are quoting the document out of context and it doesn't say what you are implying it says.
Maybe out of context is the wrong word. You quote enough of the paragraph it just doesn't support your point.
All the paragraph says is that one hypothetical situation may have legal consequences in some juridsictions. It does not make any claim as to whether or not that is ethical or right.
Ok, do you agree that they claimed the OWASP document supported their actions?
Concerned about user privacy and security — and consistent with industry best practices [link to owasp] — we wrote a detailed email to the Fizz team [0]
Do you disagree that the OWASP page states the below?
Researchers should:
Ensure that any testing is legal and authorised.[1]
Ok, I can see how the OWASP document doesn’t use the words ethic or right or wrong. Would you agree that the claim by saligrama.io that they were “consistent with best practices” (where best practices is a link to OWASP) is not true?
I can see an interpretation where they communicated in line with best practices even if they didn’t follow best practices in their actions before communicating.
Ignoring the legalities of it all, this step crosses a line morally imo.