I haven’t heard of #Giggle before but apparently they not only had a pretty bad vulnerability allowing anybody to query information of all accounts, they also made some rather questionable privacy choices. https://research.digitalinterruption.com/2020/09/10/giggle-laughable-security/
So they would keep the selfie meant only for verification, store the user’s geographic coordinates and keep account data after deletion. But that’s not what makes this case notable. Problematic vulnerability disclosures aren’t uncommon, but #Giggle managed to stand out here.
The bad news: @firstname.lastname@example.org threatens to sue the researchers unless they let her approve the publication first. They kindly decline, as they should. And she shares that communication publicly as well, somehow assuming that it puts her in a better light?
Update: today #Giggle’s @email@example.com published a new statement. It’s a good first step, though for my taste it’s a bit thin on reflection of her own role in this mess. What’s still missing however is some statement on the privacy issues. Will these be fixed as well eventually?
A Mastodon instance for info/cyber security-minded people.