Vigilante or bug hunter?

“False alarm,” declares CityPost as it takes its website down.

Graham Cluley
Graham Cluley
@[email protected]

Vigilante or bug hunter?

From Irish news website The Journal:

“Vigilante cybersecurity expert targets Dublin firm”

That’s quite a headline: Vigilantes target an Irish business. But hang on, there’s a cybersecurity angle…

Sign up to our free newsletter.
Security news, advice, and tips.

“A DUBLIN-BASED postal service took down its website yesterday, after an alleged security flaw was identified.

“CityPost holds the details of its customers online but a vigilante security researcher told that he was able to find a method to hack into the website and find customers’ personal details.”

The “vigilante” in question is Pakistani penetration tester Touseef Gul, who has previously made the headlines for discovering a way to bypass Sucuri’s web application firewall (snaffled up by GoDaddy earlier this year).

Touseef says he didn’t exploit the SQL injection vulnerability to steal any customer data, and merely reported the problem to CityPost.

CityPost characterised the report of a website flaw as a “false alarm”, but “notwithstanding that, in the interest of best practice, we have taken the site down and we will [be] carrying out full stress tests on the site.”

Sure enough, the site remains down today.


I’ll leave it to you, gentle reader, to decide for yourself whether there really was likely to have been a vulnerability on the CityPost website or not.

It’s probably not a good thing for penetration testers to probe the defences of companies and their websites without the permission of the firms themselves, but all Touseef did in this case would have been the equivalent of typing some characters into his browser’s address bar.

That hardly feels like something that should be portrayed in the press as the activities of a “vigilante” who has “targeted” a firm.

Better that someone like Gul should find such a flaw than it be left open for malicious online criminals to exploit.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Vigilante or bug hunter?”

  1. Polly

    The company I work for has provided a pension scheme through a well known pension fund. I decided to login to my pension portal and noticed that I have a policy number. Working in security, I thought what would happen if I changed my number. And guess what, I was able to see someone else's pension details including current salary. Not only that, it did not restrict me to just the company I work for. My dilemma is if I tell me will they think I'm a cyber criminal or do I leave it?

    1. Dominic Batstone · in reply to Polly

      Troy Hunt has a useful post on his site about how he responsibly discloses these issues. probably worth a read.

  2. Sam

    Just wanted to say, Touseef Gul contacted us a few months ago about vulnerabilities in one of our older projects. He did request some compensation for his "work". Since we were too busy to do stress tests we actually did provide a sum to his paypal. We still don't know, and probably never will, if our customers' data is safe.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.