That's a moot point, surely? Everyone who used the app should receive an email from the people behind it very, very quickly - they've all been compromised.
The concern isn't just that RKearney has the keys - it is that anyone could have the keys for anyone on the site. Sending an email to the people whose keys he snagged would help them - but the people whose keys he didn't are still vulnerable too.
I imagine you were a little unsure of the timeline of things when you commented. Please keep in mind that I wrote this comment before the "never give your info" story and before the website developer commented here on HN. With that in mind I am not sure what point is a moot point?
Do I think the developer should email all of the users? Yes, which is why in my response to the developer's comment about destroying the IAM keys I said "You should think about sending an email to all of your users..."
Do I think that the right thing for rkearney to do is send emails to the people whose information he has? Yes. Is it the best possible scenario? No, but it is better than no notification at all, which at the time was a possibility.
You should think about sending an email to all of your users. I realize its a tough call pointing out a problem so early but it might also be a good way to garner user's trust.
"Whoops, we disclosed everybody's AWS credentials. I know! Rather than tell our users, I'll wipe the database and remove all evidence of it ever happening."
It's not helpful, it's realistic. My exact wording was "your time will be better spent elsewhere."
We each have 24 hours in a day. I spend 8-9 of mine sleeping, 9-10 at work. That doesn't leave much leftover for me.
If zacharyvoase wants to spend his precious free time educating people who haven't done any due diligence to learn how to build a secure web app, that's his prerogative. But I don't see it as a good use of his time - there's already tons of resources out there that will do a better job than zachary. Is HN supposed to be a newbie education destination?
That's your response to someone (admittedly, poorly) discovering and reporting a security vulnerability in your application? Telling him to "be nice" then dropping his e-mail and face as some kind of stick-waving, threatening gesture?
Congratulations on demonstrating to me and countless others why I shouldn't use any product that you EVER touch. You don't get a pass because you're just two nerds. You have a form with a submit button -- that's where your responsibility as a founder and custodianship of user data begins. Day 1, you're already a liability.
I realize this is a pretty direct attack but I'm appalled and staggered by your behavior in this thread. You launched a service on the public Internet. There is no grace period, there is no "friendly fire"; you fucked up and you disclosed AWS credentials. Not users' favorite colors. AWS KEYS. Tied to credit cards, running servers, S3 backups, God knows what. You don't get to tell people to be nice to you when you're acting as the steward of AWS credentials; you protect them and act like you care when someone tells you that you fucked up doing so.
Your behavior here is just foreboding for the future, and you need to realize that before launching your next endeavor (this one is probably done, after that little mess).
This wasn't some exotic exploit either. Public, numbered (1,2,3...) accounts, all of them editable - it's almost funny. Can you imagine what other security problems exist in the code.
EDIT: Guys, don't downvote smeagle's comments. If anything, we should be upvoting them as much as possible so that others can see this blatant disregard for their users
---------
You are quickly making the case for having one of the worst responses I've ever seen, to a huge security flaw. Trying to wipe things under the rug when your users information is clearly exposed is an easy way to destroy trust.
I seriously can't fathom the ineptitude it takes to direct people to someones email like that over your glaring mistake.
Classless. Come on Khang - everyone here wants to root for their fellow entrepreneurs, creators, and (self-proclaimed) "nerds".
RKearny pointed out a very real, very important issue that will help you make your service better, and help you deliver even more value for your users. And he did it for free! You should be thanking him and asking him for more feedback, not deflecting responsibility like this.
ryan's info is public. he put it on our feedback forum. i wanted to make sure everyone was aware of his public info since we (as well as others) were very concerned with his course of action and questionable statement "Still managed to get a few dozen AWS keys though."
i'm not sure why thanking him is in order... ?
5 people emailed me privately about the security issue. we fixed it promptly, and followed up with instructions to everyone exposed (~20) on how to protect their credentials. i haven't yet heard a complaint from our actual users.
you and i know that saying "~20" is a random number since you had nothing in place to track it. i'd love to hear how you know it's 20. seriously. tell us.
I can search for email addresses too! Don't direct users to me because you failed to secure your web application.
It's nice to know someone who works at a company that handles credit card and bank payments would just post someones email address and photo. Granted this is all public since I posted on the Uservoice post, it was still unnecessary.
If you were a company, you'd have insulation against lawsuits. Two nerds mean you and your family's assets are at risk; launching an app with such a spectacular security hole seriously puts the two of you and your families in danger.
The only thing you are right about is that WePay is terrific and I am glad you are not associated with them. How difficult it is to owe up to your mistakes instead of shooting the messenger?
@smeagol. First of all you fucked up. So stop acting so high and mighty and apologize to rkearney and everyone else who even thought about signing up for your product. Secondly, if this was just meant for you and your friends, don't go public with it and post it on HN. I highly recommend another hobby in a different field because clearly this one doesn't agree with you. Lastly, please stop calling yourself a nerd.
The best part of this whole catastrophe is that this app isn't just embarrassing for smeagol, but it is playing out HN, YC's main advertising venue, and it undermines the whole concept of these MVP summer vacation startup companies, showing that 2 guys a garage can't launch a minimally provisioned website.
Update:
I misunderstood, I'm sorry. I wasn't trying to attack but trying to show my concern because I thought he saved some id/keys for himself. Please ignore my comment below.
--
"Still managed to get a few dozen AWS keys though"
Good for you! What a nice person you are. Please abuse more small projects like this. Even if they say they say it was "was only meant for friends to test out".
Oh I see, you just found a security hole and trying to get some reputation? Cute. Please do it by abusing the small power you found and hurting innocent users. That's really, really nice of you.
"Still managed to get a few dozen AWS keys though"
Wow. Just wow.
You sir, just ruined my night. Thank you.
Ps. I am really concerned about your company and its users. If you can do something like this, I wonder what else you could do (or doing) at your current company. I hope, I'm assuming wrong.
Perhaps you're misunderstanding my course of action.
1. I didn't disclose how to do it, merely that it was possible.
2. By "get" I in no way mean harvested. I just manually incremented the ID in the URL by hand in my web browser to see how many users could be affected.
3. Since I never saved any of the information (just viewed the pages) I no longer have it since the flaw was patched.
It's massively important that people bring security issues into the open. Talking about these things creates pressure on developers to build secure web apps. Not talking about them because people like you get 'upset' about "hurting 2 nerds' inspiration" means we get poor information security policies all over the Internet.
As it stands we don't know whether hostile agents (silently) got copies of the AWS keys of every user on the site. That should be incredibly concerning for you, but apparently it's not.
Thank you, yes I'm aware of these. I was trying to focus on the fact that the person who found this security hole used it to get some of this data to himself. But apparently I wasn't clear enough.
I'm still trying to improve my English. Next time I'll try to be more clear. Thank you.
I'm sorry man, but this kind of mistake is unacceptable even for a prototype. This is basic authentication and access control stuff. You'd at least expect this to be implemented if you're giving them your email, needless to say amazon token.
The problem with this is that people become more skeptical in general about new products/companies, which is bad for the community as a whole.
The issue here is how do you deal with this kind of thing? Assuming it is in fact bad for others who are trying to get people to test their prototypes, how do we help avoid basic pitfalls like this one? This could be a service...
Why are you upset with him, at least he informed people. You should be more upset with an insecure app. A less talkative person would just keep it and use the AWS accounts for bitmining.
You can find a security hole and report it. That's nice and good behavior. But when you say "I have compromised the data with me", then you are being evil.
I signed up to the app because I liked the idea and wanted to support them. I knew that their app was in alpha stage yet.
I'm upset about his behavior.
I'm upset that his behavior might hurt 2 nerds' inspiration.
I'm not upset about he got my keys.
But you are right. His behavior is still better than not saying anything.
If anything, he did you a favor. You're probably going to create new keys now, whereas you might have written it off as a hypothetical vulnerability otherwise.
The games on Stripe's CTF were more secure than this site...
EDIT: Looks like it was just patched. Still managed to get a few dozen AWS keys though.