The designer of a new app for reviewing MAGA-friendly businesses had a total meltdown on Tuesday after an internet researcher discovered major security flaws in the app’s coding.
“63red Safe works like a conservative Yelp,” The Daily Beast reported on Monday. “Instead of reviewing the lighting and ambience, though, the site’s users rate restaurants and other businesses on a series of four questions, including whether the restaurant’s owners make political social-media posts and whether they allow customers to carry weapons.”
Within hours after the launch, a French security researcher with the moniker “Elliot Alderson” (a reference to Mr. Robot) was able to gain access to the backend of the app, which was completely unsecured, leaving users’ data at risk.
In a nutshell, Alderson was able to see that 4,466 people had signed up because no login credentials were needed to snoop around.
In response, 63red Safe’s founder, Scott Wallace, said in a statement on Tuesday that he takes security “very seriously” and has “already taken action to additionally protect our data.”
And then came the victim card.
“As we have seen across the United States, conservatives particularly have come under attack for their political beliefs — verbally, physically, and electronically,” Wallace wrote. “This is unacceptable in a free society, and we will take every action to stop it, and assist our users in that as well.”
Wallace said that he notified the FBI about the “politically-motivated attack” with the hope that “this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law.”
TL;DR: No lost passwords, no breach of database, no data changed, minor problem fixed. We’re angry by the attempt, FBI notified.https://t.co/v59DExCI0F
— 63red (@63red) March 12, 2019
Unfortunately for Wallace, this was a huge overreaction.
“I can understand 63red is angry but I’m here to help them, not the opposite,” Alderson told Gizmodo.
Alderson’s discovery was not a crime, nor did he steal any data or mess with the site’s digital infrastructure. All he did was point out vulnerabilities in the coding.
“Let’s hope FBI educates the folks at @63red about how this really works,” tweeted hacker Kate Moussouris.
Looks like @fs0c131y 's research revealing a rookie security mistake of having NO authentication on an API has triggered Stage 1 & 2 in the 5 Stages of Vulnerability Response Grief https://t.co/9REgvy2x33 .
Let's hope FBI educates the folks at @63red about how this really works. https://t.co/aPqsvujvop
— Katie Moussouris (@k8em0) March 12, 2019
Wallace and 63red Safe were savagely mocked for calling the feds on someone who was trying to make their online safe space safer.
Why are you MAGA peeps always the snowflakes?
— Ask Cybergibbons! (@cybergibbons) March 12, 2019
You guys called the FBI on a security researcher who browsed your DB bc you all used a sketchball API and didn't do your homework well enough to know the dev's password was exposed? He was even nice enough to not change any of your entries… What's the matter with you all?
— Emily H E X A Crose (@hexadecim8) March 12, 2019
Threatening researchers will definitely make them stop looking for flaws in your security. It won't encourage anyone to exploit your app.
It will also make researchers do responsible disclosure instead of full disclosure.
— David (@slaveriq) March 12, 2019