Platform engineer and open source enthusiast Rob Dyke says that he’s found himself in a sticky pickle.
You see, in late February he discovered two public repositories on Github which contained code for an application, API keys, usernames and passwords, and a database dump. Anyone in the world could access the sensitive information.
Dyke contacted the organisation (which he hasn’t named) sending them evidence of their security screw-up, and pointing out that the code was based on an old version of PHP framework which contained vulnerabilities.
Dyke went on to explain that he had encrypted the sensitive data (which was more than the organisation had done) when storing it securely, and would destroy his copy in 90 days.
The good news is that the owner of the respository thanked him, and the offending code and data was taken down.
Fast forward to earlier this week, when a law firm acting on behalf of the organisation wrote to him accusing him of “committing offences under the Computer Misuse Act 1990 and the Investigatory Powers Act 2016” and, in his words
“…demanding that I give commitments that amounted to me acknowledging that I had unlawfully hacked into and penetrated systems and databases.”
Dyke says that has made no threats to the organisation or its systems, and was practising responsible disclosure. It certainly sounds like that to me too.
I need help with
– a technology/ cyber savvy lawyer
– about £1500 (est) to pay them
Ive received Notice before action after
– I found api keys, passwords, etc in public open github repo
– investigated and identified Author and Organisation
– Notified them and was thanked https://t.co/3wMb7lNOkg
— Rob Dyke (@robdykedotcom) March 9, 2021
Clearly rattled, Dyke has started a crowdfunding campaign to pay for legal representation. So far he’s raised more than the £1500 he requested from his Twitter followers – an impressive achievement.
He’s nobly – so far – declined to name the organisation concerned, but says “If you knew who it was you’d be very disappointed.”
I hope the unnamed organisation quickly realises its mistake, and apologises to Rob. If anything they should offer him some form of bug bounty for his honesty and expertise after their goof.
When/if the organisation’s name becomes known, this is likely to cost it much more.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.