> I wrote a full disclosure post 5 minutes after finding the bug because twitter doesn't reward "bounty hunters".

Companies without bug bounties don't deserve responsible disclosure? Twitter has a pretty clear way to reach them, and recognition is given on their page. If recognition isn't sufficient for responsible disclosure, how much money would be enough? I think bug bounty programs are great, but I don't think they should be mandatory.

https://about.twitter.com/company/security

> Companies without bug bounties don't deserve responsible disclosure?

That seems to be homakov's view, yes, and I can't say I don't understand his view.

Of course you understand it, but do you agree with it?

If you seek out bugs in a company's code with the expectation that you'll be rewarded for it, and then the company fails to reward you, I can see that it might be perceived as unfair, especially if the company indicated that such an expectation was reasonable.

If you happen across a bug in a company's code, and then publicize it because they aren't going to pay you money for it, that seems a little more like "blackmail." People really shouldn't orient their moral systems around money.

Well given that homakov has found this bug, there are a few possibilities:

A. Homakov could do nothing. This leaves Twitter in the same state that it is now, but it if everybody did this, it is likely that nefarious people would find and exploit bugs in Twitter

B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company

C. Homakov could practice full disclosure

This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but tha'ts hardly homakov's problem as a third party.

> This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but that's hardly homakov's problem as a third party.

Perhaps "blackmail" was too harsh a word. A better analog might be discovering a business left their back door unlocked. Do you announce it to the entire neighborhood because the business doesn't give out "security prizes," or do you attempt to notify the employees? That seems like the point of responsible disclosure.

Well I think we are blurring two different issues here. The first question is whether or not full disclosure is acceptable. The second question is whether or not it is acceptable to choose it because one is not being paid.

As far as full disclosure being acceptable, there are a lot of advocates. For example Bruce Schneier, Leonard Rose, and others. Not to mention that this issue isn't in a high impact category like remote code execution, loss of data, privacy, etc. It's also difficult to exploit; it requires authorizing a malicious app. So for all those reasons separately, and certainly all of them together, I think full disclosure is a completely acceptable choice.

Given that it is acceptable, is it still acceptable to do it if it furthers our own interests? Again, I think the answer is yes. The fact it is in my interest does not make an acceptable action into an unacceptable one.

You seem to be hung up on the fact that the researcher here was not particularly nice to Twitter. But people are under no obligation to be nice. It would be nice if you sent me a check for $200. But you won't, because there's no obligation to do that. And you and I--two strangers arguing with each other on the Internet--have a much stronger relationship than this researcher has with Twitter.

Your analogy is missing the public interest: the business is the postal office or similar and has all the neighbors mail laying around. Does not affect your point though (still not okay to just announce it to the neighborhood).

Do you become a little more recognized by your peers by publishing that the door is open to your neighborhood?

Are people going to get killed or lose a lot of cash by knowing how to send unsolicited private messages on twitter?

Like most analogies; it shows your bias rather than some enlightenment on the subject.

And:

D. He could have sold the discovery to someone who'll pay him for it, then have them go on to abuse it to send DM spam to twitter users.

I have no doubt at all that homakov could have sold his discovery for at least as many dollars as any of the well known bug bounties would have rewarded him - if his motivations were purely mercenary…

You're missing a key difference. Twitter didn't commission the work performed here. Sending an invoice for work that wasn't requested is not only dumb, it's offensive.

what a dumb idea! I can't even tell if you're being serious.

Never tried it but obviously it wont work. It is easier to start with actions than with dialog here.

> People really shouldn't orient their moral systems around money.

Neither do corporations, but whenever you hear anyone say "corporations shouldn't base their moral systems around money", then it's all about "free market", "profit" and "shareholder values".

I'm not saying I'd do the same in this case, but it's a bit of a stretch to assume people-people morals apply to people-corporate situations.

> Neither do corporations, but whenever you hear anyone say "corporations shouldn't base their moral systems around money", then it's all about "free market", "profit" and "shareholder values".

I'm not sure if you're trying to highlight an aspect of communal hypocrisy, but I will say that I wouldn't be one of the people shouting back stuff about "shareholder values" in response to a call for corporate social responsibility.

> it's a bit of a stretch to assume people-people morals apply to people-corporate situations

Sure, there's a bit of a power dynamic in play. But we should also remember that corporations are just huge groups of people working together for some kind of common cause. If you do something kind for a corporation (like, for example, responsibly reporting a security vulnerability instead of releasing it into the wild) then you're essentially doing something kind for the people that work there.

I'm not saying anyone needs to go out of their way to be kind to corporations... I'm just saying we shouldn't treat them like they're not "real" and don't deserve a single iota of basic respect. (Of course, if they show a lack of respect to others, that complicates the picture, but the same would hold for "people-people" morality as well.)

> If you do something kind for a corporation .... then you're essentially doing something kind for the people that work there.

that is absolutely not true. A person doing a favour for a corporation will not get the result as doing a favour for an individual.

The corporation isn't a group of people - its a group of people under some control of a few. Their common cause is not the common cause of the employees, but that of those few in control. And i said 'is', because the corporation only h as one cause - to make profit, any way possible.

Do not ever place any loyalty, or sympathy for corporations. Do not expect them to behave morally, or altruistically. It will only end badly for you. Try to extract as much value out of a corporation as you can, just as they do to you.

i would replace "company" with "huge company with resources". If it wasn't twitter but e.g. some startup, sure I'd report it like everyone does.

But twitter is like saying "back off, we are huge and we don't pay researchers a cent". So let it be

Not only that, but if Twitter was feeling cruel, they could drag him through court (if he's based in the US). That would be a nuclear option, but, when your future welfare is on the line, you really shouldn't screw with companies.

Twitter obviously wouldn't drag a hacker to court. I'm saying, in general, don't do this, because other companies might. http://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case

"when your future welfare is on the line, you really shouldn't screw with companies"

Lie back and think of England.

He's not US-based, so he can freely give them the finger. Good for him.

Hm, are you sure cracking password and writing about a bug which you didn't exploit on other users are the same thing?

Would you like to keep testing whether a prosecutor is daring enough to bring charges against you, especially in this social climate?

It's not paranoia. Once you start straying from the path of responsible disclosure, the path to danger is quite short.

In this case, I think you're in no real danger since it's Twitter. So don't worry. But if it were some other company, though, you wouldn't be able to rely on goodwill to protect you. And without any protections, there's nothing preventing the (extremely powerful) courts from bringing charges. It's happened before; it will happen again.

everything is possible. Furthermore, in Russia where i used to live, they don't need any charges, they can make them up from nothing.

I understand what you say here and below, but basically, whether we wish the world were otherwise or not, when people form corporations a line is crossed, and you enter a game where people will be ruthless in the interests of their own team. Homakov has some information: it's up to him to assess the value of that information and to assess the expected payoff from the different actions he can take. Unless we can make an argument that someone's private life is on the line here then the rules of the business world apply. There's a reason people derided Mitt Romney when he said "Corporations are people too my friend."

Another way to look at it is that if there are no bounties, then the company may not have security issues high on its priorities list.

I'm not saying it's true, but it's plausible that some people in Egor's position think that way. And he seems to like his publicity, so 1+1 = 2.

> Companies without bug bounties don't deserve responsible disclosure?

The term "responsible disclosure" implies that other types are "irresponsible disclosure".

If you discover new information through research, there is nothing irresponsible about publishing it on the open web.

Stop this stupid linguistic battle.

Why should companies expect disclosure at all?

The fact that the bug has been disclosed rather than exploited is, itself, a huge favour to Twitter.

People in various forums (a couple on HN, SO, Egor's blog, Twitter itself) seem to be saying something like "this isn't really a bug".

It's definitely a bug. Twitter requires clients to ask for the DM permission before they can send DMs. With Egor's approach, clients can privilege-escalate themselves to send DMs even if they never asked for that permission (although they still need to be authorized to send tweets).

Also, even worse, Twitter doesn't consider it a bug, according to the person who originally reported it (who was not Egor): https://twitter.com/DaKnObCS/status/411869431036653568

And here's a response from Ben Ward, the Twitter web lead: https://twitter.com/benward/status/411924515459850240

Read the API docs, only reading DMs needs a special permission, POST direct message only needs the permissions that writing a "normal" tweet would. There's no bug here. Maybe a confusing security model, but no bug.

"Twitter requires clients to ask for the DM permission before they can send DMs"

Perhaps it should, but it doesn't - apps can use the normal API to send DMs without asking for the special DM permission. So the use of the "d" command through the API isn't a vulnerability (it doesn't let anyone do anything they aren't supposed to be able to do), even if it is weird.

This kind of bug falls in grey area I believe. It's more a legacy feature that should be turned off.

Nonetheless, I think it's wrong to have that feature still working.

This is the same guy who hacked GitHub (and Rails) with the multiple assignment hack, among other things.

I enjoy reading his finds a lot. He tends to find relatively blatant lapses in the various security measures of the sites he investigates.

Where is he "as famous"?

On HN? Or somewhere else (if so where?) where he is "as famous as PG on HN".

If you mean he is as famous on HN as PG is on HN I don't think that is the case.

You'd be surprised.

HN has become mainstream enough that a lot of readers don't know who pg is. This is what getting linked from reddit, digg, etc leads to. I don't mean this is bad, or good. It's the way it is.

He means that the following are equivalent:

* How famous PG is in HN

* How famous homakov is in HN

Who is PG? Parental Guidance?

Close.

I suppose you can say he is a sort of Parental Guidance for HN.

It only allows you to send DMs to those users you can already message - which is a small mercy.

This part of Twitter's "Get Better" problem - where they've allowed SMS commands to be activated via non-SMS interfaces - http://techcrunch.com/2012/05/26/twitter-get-better/

Of course, it doesn't help that Twitter's permissions system is really poorly thought out. An app which only wants to read your Tweets also has WRITE access as well.

So twitter should replace R&W DM to just R DM permission, because W DM comes automatically with R&W Tweets. Isn't it.. so wrong?

Isn't a bug according to twitter employers:

http://twitter.com/jmhodges/status/411975535703511040

the 'd' syntax for sending DMs has been around from nearly the beginning (or from the actual beginning?) of Twitter. That in itself is not a bug. However, Twitter should be stripping that leading 'd' from anything that is reposting or from a 3rd party OAauth session.

It's not a bug per se, but it's certainly a hideous misfeature to have ever had that kind of input parsing except on the SMS interface to Twitter. It's just completely unnecessary.

This isn't the first bug to be found because of it!

Exactly this

There were worse commands, I remember there was a 'follow' command (not sure it was called like that), twitter disabled this

The d command has some user experience value, however, yes, it makes no sense for twitter to accept it on non twitter apps (meaning, those that don't provide the twitter experience - like mobile clients, tweetdeck, etc)

Not sure how many hours go into finding these sorts of vulnerabilities, but his rate of $150/hour[1] seems like a steal compared to the lost revenues he can prevent.

[1] http://www.sakurity.com/

On the flip side, Homakov personally has incredibly bad OPSEC practices which would make me think twice for using him. There's a correlation between what you pay and what you might get.

What do you even mean to have "incredibly bad OPSEC practices"? Without an explanation, your comment comes across as more unnecessary snark, which unfortunately isn't uncommon in threads that remark upon Homakov, or on HN in general.

https://twitter.com/homakov/status/387805705669206016 https://twitter.com/homakov/status/345544666483130368 https://twitter.com/homakov/status/218630370231451648

I am not trying to hide my real name. If you need my ID just ask.

This is in line with a long laundry list of horribleness about user experience as related to DMs in my opinion. They don't work as expected, and quite honestly to me it feels like Twitter is running a campaign to destroy peoples' love of the DM in search of a Solution, maybe in preparation for a dm 2.0 or something.

Some of the experience elements of DM have been fixed on the iPhone, but last I checked, the problems on web desktop made me so annoyed that I stopped using DMs altogether.

Taking into account this bug and twitter's response - they don't differ DMs from tweets much. Privateness of DM doesn't mean it to them what it means to us.

Oh, I don't think you have to worry about the masses ever ruining App.net

I think I'll avoid it as well. I wouldn't want to accidentally ruin it.