Pen testers accused of 'blackmail' after reporting Eurostar chatbot flaws

Wednesday 24th December 2025 18:36 GMT Excused Boots

"And then, per a LinkedIn screenshot with Eurostar exec's name and photo blacked out, the security boss replied: "Some might consider this to be blackmail.””

To which the obvious answer is “possibly yes, although I do think most will consider this to be fucking incompetence on your part”.

110 0 Reply
1. Thursday 25th December 2025 07:21 GMT Blazde
  
  Crude but honest. I also quite like: "Blackmail? That's slander!!"
  
  Optionally followed up by: "I shall see you at dawn with either an apology, or a pistol"
  
  32 0 Reply
  1. Friday 26th December 2025 19:46 GMT Pickle Rick
    
    Libel, not slander. Just saying.
    
    9 0 Reply
    1. Friday 26th December 2025 20:33 GMT Anonymous Coward
      
      No .. just writing .. FTFY lol
      
      6 0 Reply
      1. Saturday 27th December 2025 06:39 GMT Pickle Rick
        
        Bit of both, I was using Kaldi ASR :D lol
        
        3 1 Reply
        
        Sunday 28th December 2025 02:33 GMT Ceiling Cat
        
        Aah yes, Sliber! (my favorite combination of slander and libel).
        
        2 1 Reply
        
        Sunday 28th December 2025 05:55 GMT Pickle Rick
        
        You have defambeled The English Language! And I like it! (Granted, calling that defamation is a bit of a push, lemme have this one?) Would "sladefambel" cover the lot?
        
        1 1 Reply
        
        Tuesday 30th December 2025 09:15 GMT Anonymous Coward
        
        Sliberals smh
        
        0 0 Reply
    2. Saturday 27th December 2025 16:45 GMT Anonymous Coward
      
      See this is why I read out my libelous comments while I write them down. It's unambiguous then.
      
      4 1 Reply
2. Thursday 25th December 2025 08:56 GMT BartyFartsLast
  
  I have had similar accusations when discussing pay rises and bank charges to which my answer was a resignation or account closure
  
  21 0 Reply
Wednesday 24th December 2025 19:22 GMT Will Godfrey

Standard procedure

Shoot the messenger

67 0 Reply
Wednesday 24th December 2025 19:42 GMT that one in the corner

Pass on details of flaw, be accused of bad faith actions such as blackmail

So we've turned the clock back to the early days of companies being online, when every report of a flaw in the public facing system was met with accusations of "hacking", including claims the "hacker" (aka pen tester nowadays) was trying to extort or blackmail the company.

And probably for the same reason: the company[1] thinks its system *must* be perfect, so the only way it can go wrong is by deliberate attacks.

[1] The senior management, that is; everyone else knows it is proped up matchsticks.

63 0 Reply
Wednesday 24th December 2025 20:24 GMT ecofeco

So many red flags

Where to begin? Eurostar is flying far too many red flags to ever be trusted.

31 0 Reply
Wednesday 24th December 2025 22:09 GMT stiine

Did someone from Newag get hired by Eurostar?

10 0 Reply
Thursday 25th December 2025 21:01 GMT Bobbyqt

As someone who operates a VDP, I have mixed feelings. While we value and reward all reports, some reporters push for very short disclosure timelines in order to be the first to publish a security flaw. Responsibility for coordinated disclosure lies on both sides, yet this report feels rather one-sided. Articles like this also create negative PR for the involved penetration testers. Rest assured many will label "Pen Test Partners" as drama queens.

1 30 Reply
1. Friday 26th December 2025 06:34 GMT Anonymous Coward
  
  The article clearly states that the vulnerability was disclosed on June 11 (no response), followed up on June 18 (no response), followed up via another channel (LinkedIn) on July 7 (was told to use the vulnerability reporting program which is what he used back on June 11, and was accused of blackmail), and July 31 (found there was no record of a bug report). So that's a month and a half where Eurostar didn't even have a record of a report. While I'd like to see a response from Eurostar, what was provided to El Reg pretty clearly shows Eurostar trying to shoot the messenger. This is NOT a "very short disclosure timeline".
  
  45 0 Reply
Friday 26th December 2025 00:53 GMT Dwarf

PTP are the good guys and they give out good socks at the trade events. Ken is a good guy, I've met him several times.

If someone finds a problem in your product, say thank you and fix it. Its a bit like someone telling you that your tail light is out. Shouting at them isn't going to fix it.

46 0 Reply
Friday 26th December 2025 19:49 GMT bazza

This all seems a bit casual by Eurostar.

Given the nature of Eurostars business, they’d fall under the Data Protection Act (or whatever it’s called these days). I should think that the company Information Officer would prefer not to have to explain to the Information Commissioner why a disclosed flaw met with this level of indifference, should they in fact get rolled over and a data breach occurred.

I’d be interested to learn of my fellow commentators‘ views on the idea of making such disclosures to the company information officer as well as (or instead of) to any vulnerability disclosure form. I suspect that the latter often gets dumped into the IT department somewhere (where it may fester, as happened here), where as the IO is likely more interested because they’re the one who owns the consequences of inaction.

Obviously it’s not the pen tester’s job to sort out internal comms problems in dysfunctional companies! But it’s interesting to consider what the best disclosure route actually is.

14 0 Reply
1. Friday 26th December 2025 22:49 GMT Anonymous Coward
  
  I liked the way the pen tester handled it in this article - report through the official channels, check back, and when it looked like nothing happened, contact the relevant person directly. While this *shouldn't* ever be necessary, it unfortunately sometimes is. (Note this works for many, many things, not just vulnerability disclosures.)
  
  19 0 Reply
Saturday 27th December 2025 02:15 GMT Anonymous Coward

Hmmm

Let’s build a public-facing attack vector and then disregard the professional reports.

Just employ some actual (local) people and treat your customers properly.

12 0 Reply
1. Sunday 28th December 2025 11:35 GMT RegGuy1
  
  Re: Hmmm
  
  Fuck off!
  
  Do you know how much that costs?
  
  4 2 Reply
Saturday 27th December 2025 12:07 GMT Anonymous Coward

A foundational security assumption is to never trust the user/client, why was their system pulling the chat history from the browser, where the user could edit old messages? This was pure incompetence.

17 0 Reply
1. Saturday 27th December 2025 13:58 GMT Pickle Rick
  
  > why was their system pulling the chat history from the browser
  
  Okay, I'll bite! A combination of:
  
  1. CxOs supping the kewl-new-thing juice, followed by; 2. PHB oversight of; 3. AGILE dev teams composed of; 4. vibe coders using; 5. untested/unknown third party APIs/libraries/tools with; 6. insufficient numbers of humans in the customer services department to catch the issues when the shit hits the fan.
  
  But you already summarised that:
  
  > This was pure incompetence.
  
  15 3 Reply
2. Saturday 27th December 2025 14:33 GMT cdegroot
  
  Its fine to store state in the browser, as long as you sign and verify. Looks like Eurostar's devs understood this a little bit, but not enough to be trusted building a publicly facing website.
  
  7 0 Reply
3. Sunday 28th December 2025 12:48 GMT Ken Hagan
  
  I asked a couple of recent CS graduates about this. Apparently (this is UK universities but it may be similar elsewhere) you will not be taught about never trusting the client side by whoever delivers the course in web programming, but it will probably come up if you select a computer security module and if you have the presence of mind to apply knowledge from one module to the context of the other. (There is, of course, nothing to stop you graduating if you don't make that link.)
  
  Also, both of them actually knew this principle anyway because it is pretty fundamental to Roblox game design. I shouldn't be too smug here though because I learned this stuff by reading El Reg for several decades
  
  9 1 Reply
  1. Sunday 28th December 2025 16:14 GMT Michael Strorm
    
    Anyone *not* competent enough to generalise that principle from their computer security course to web design shouldn't be working in computer security *or* web design.
    
    That said, the basic principle- if not the fine details- is something that *everyone* doing a web design course should be made aware of, whether or not they're doing the computer security module.
    
    1 2 Reply
Saturday 27th December 2025 19:22 GMT Gerhard den Hollander

Guardrails

We all should know by now that there is no such things as guardrails on gAI.

We already know that all of them can be bypassed.

Gödel proved such things would be impossible back in the 1930s. They need to complete and correct, and he proved this was not possible.

( the above is obviously very broad strokes )

6 0 Reply
1. Sunday 28th December 2025 12:50 GMT Ken Hagan
  
  Re: Guardrails
  
  There are no adequate guardrails on Natural Intelligence. Why would anyone expect AI to be different?
  
  3 3 Reply
2. Sunday 28th December 2025 16:03 GMT Michael Strorm
  
  Industry-favoured "guardrails" metaphor inadvertently appropriate, but not for intended reasons...
  
  Real-life "guardrails" stop people from *accidentally* straying where they shouldn't, but they generally won't stop anyone who intentionally wants to go around or over them.
  
  9 0 Reply
Wednesday 31st December 2025 15:31 GMT Stevie

Bah!

Increasingly, I am seeing Social Media posts with missing words in the blitherstream.

The initial prompt in the example here contains such an omission.

I'd be very interested to know why this is such a widespread phenomenon.

As for A.I., what do expect from software developed to predict text inputs on a phone?

0 0 Reply