While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I’m personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn’t believe it hadn’t been exploited already.
I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.
This is the story of what happened when I tried to do the right thing.
I had a similar experience many, many years ago – before the rules for vuln embargoes were formalized; and I wasn’t even a security researcher. I was just a techie who discovered that the broker’s staff were resetting anyone’s forgotten password to the same temporary word. And like in this article, they had no mechanism to force users to reset the temp password on next login to something unique. I’d asked to have my password reset at some point, having forgotten it, and upon logging in with my user ID accidentally swapping two digits, found myself in someone else’s brokerage account, with substantial funds staring me in the face! And, their email and personal details.
I disclosed the issue to the broker, but out of paranoia, did it through a throwaway email account, from home, not work (I should’ve used a VPN, but back then I wasn’t as aware of such things). From that throwaway email, I also notified the person whose account I’d accidentally logged into, urging them to check their account and contact the broker to ensure no one else might have gotten into their account.
A day or so later, I got a call at my work phone from someone at said broker, asking if I had seen any unusual activity on my account, and that they had seen some suspicious activity from our company’s network (remember, the accidental login to the other person’s brokerage account occurred at my work PC)… I suspect they were fishing for info pointing to my being the one who accidentally accessed someone else’s account. I played dumb, as the call did NOT have good vibes; I could sense they were looking for a ‘hacker’ to scapegoat, not calling just to inform people there was a problem.
Thank heavens I didn’t reveal that I knew anything about the vulnerability… I had just reset my password, nope nothing unusual here, nosirree… but within a day or two their password reset procedure had been changed for the better and emails were sent out stating that a ‘security incident’ had occurred.
Lesson: Do NOT trust that your security report will be taken as being helpful. Most companies will try to throw you under the bus if they can, to save face.
The influential people in society have demonstrated and set the examples for everyone to never admit a mistake, and if you cheat or hurt someone, to blame them, and to assassinate their character. Lie, trash their character, accuse them of cheating you, etc.
It works too, people trust the more successful party. If you are some lower wage client of a company, and they are a successful internet company, people will give that company the benefit of the doubt. They will believe the rich guy that cheated you in his slander to make you the bully.
Tbf, that’s most business asset security SOP.
That’s a crazy story. Glad you didn’t get caught up in their incompetence. Do you still do business with them?
Nah, once I moved jobs and started holding nontrivial amounts of retirement and TFSA stocks I opened accounts with a new broker.