I haven’t heard of #Giggle before but apparently they not only had a pretty bad vulnerability allowing anybody to query information of all accounts, they also made some rather questionable privacy choices. https://research.digitalinterruption.com/2020/09/10/giggle-laughable-security/
So they would keep the selfie meant only for verification, store the user’s geographic coordinates and keep account data after deletion. But that’s not what makes this case notable. Problematic vulnerability disclosures aren’t uncommon, but #Giggle managed to stand out here.
Somehow, the email communication still happened, the right person received the report and confirmed it. So a bit later today @email@example.com started sharing the image below – without retracting any of her claims, somehow assuming that this reinforces her points.
Update: today #Giggle’s @firstname.lastname@example.org published a new statement. It’s a good first step, though for my taste it’s a bit thin on reflection of her own role in this mess. What’s still missing however is some statement on the privacy issues. Will these be fixed as well eventually?
A Mastodon instance for info/cyber security-minded people.