While this is an interesting story ...
it does also read as a puff piece for the protagonist and his company.
McDonald's customers who won a prize draw competition got more than they hoped for after the burger chain emailed them login credentials for development and production databases used to power the campaign. The first person to report the blunder to McDonald's, startup founder Connor Greig, told The Register: "It's a bit weird …
Little bit disingenuous... if you go to either of these links they forward straight to the creatorsphere openbugbounty page. So whilst not techinally having a plain text security.txt file they have ensured that if someone wants to goto "the file" they get something other than the 404 delivered by most others!
https://creatorsphere.co/.well-known/security.txt
https://creatorsphere.co/security.txt
"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologise for any undue concern this error has caused,"
Well, that is so reassuring. Though they are hardly going to say they don't give a toss about user data security in a country with GDPR enacted.
I rather like the term "undue concern" in the above message. They are not apologising for genuine reasonable concern caused by the breach, just "undue concern".
shouldn't have bothered, just post on fb or twitter, make a shitstorm how they don't have a contact number, phone line dead, no emails, basically, an mc-ghost ship, wait for shit-storm, etc, take it from there. It seems to be the only way to get through to any org these days.
(says the fb- and twitter-less one)
For years I've based my initial security assessment of (mainly) banks on a call to their customer service phone number and ask the person who answers the phone if the company has a procedure for customers to report a security vulnerability.
Only once did I encounter one that did.
As for the others, the legitimate conclusion is that they don't truly care...
Sadly, most companies don't even have a process for employees to report a vulnerability should they find one.
Best example is a company I worked for that had a major security flaw on the main website. I could not find a published procedure for reporting it, so I called the corporate Risk Management office. They didn't know either, but begged me to please inform them if I did manage to find the answer.
After several weeks I stumbled upon an internal web form for reporting vulnerabilities. After several more weeks someone contacted me to let me know that the mailbox for that form was no longer monitored. He did supply another form to report the issue, which I used and I did indeed receive an acknowledgement.
Any global corporation that cannot be arsed to provide an emergency contact address that is actually monitored, for such breaches, deserves all it gets.
They want to insulate themselves from us inconsequential proles, that's up to them. If you can't get through after wasting some of your valuable time, walk away and leave them to suffer the consequences.
"Any global corporation that cannot be arsed to provide an emergency contact address that is actually monitored, for such breaches, deserves all it gets."
Wile I agree, it's probably for the same reason that postmaster@, admin@, webmaster@ abuse@ etc are rarely monitored, probably full, or don't even exist in the first place. They not only get hammered by every spammer, but also anyone who has an axe to grind and thinks they are being ignored through the usual channels.
As implied by other posters, above, these big companies go out of their way to avoid being told stuff that is to their benefit to know. .
If a customer has a genuine complaint ( which includes a security fail) they might well want to tell the company. So what does the company do? Usually. these days it puts it's digit in it's electronic ears and sings "la la la" very loudly. Like someone ignoring the bailiff on the doorstep and hoping he'll give up and go away.
So unless their carefully chosen focus group tells them there's an issue they won't know until sales begin to drop away.
My assumption is that beancounters calculate that the cost of those disgruntled punters taking away their business is less than running a decent customer service department. Being beancounters they don't factor in the fact that most users don't complain - they go straight to the walking away stage.. And if the problem is widespread they'll continue to walk away.
So for most of these organisations they hide or remove phone numbers and email addresses. Instead there's a web page with a link that says "Contact us" that leads to an FAQ page that has no FAQs with any relevance to anything that anyone would care about. Followed, possible only after you've clicked on one of these irrelevant links, by another link that says "Need more help". This takes you to a generic Help page.Which leads to the FAQ page......
Yep, I tried to report an issue with the NHS DNS about a year ago, but got nowhere. Emails to their contacts details, and nominet were ignored.
Basically, one million years ago, an article for tightening up DNS servers went "viral" - stupidly, it had a list of non-assigned nets that it said you should block.
2.0.0.0/8 was one such block.
Many DNS servers to this day still block that range.
The NHS servers do. Basically, If your DNS resolver sits on a 2.0.0.0/8 address, it cannot resolve the NHS addresses (all their nameservers block 2.0.0.0/8) [ Well, they did last time I checked 6 months ago, it may be fixed now. ]
I used to generally check for sites that still blocked those addresses, and reported them. I had some successful feedback, but too much hoop-traversing that I grew tired of it. Now I just avoid setting up DNS on 2.0.0.0/8
(I just found this article about the issue http://blog.e-shell.org/302)
I wonder sometimes, whether such vicious circle was, perhaps, designed by a genius, severely underpaid / unpaid intern, bored to death, or whether this is something way above the human-based design, more of a trait of 'nature', as nature has this uncanny (?) tendency to take the path of the least resistance. Yeah, a philosophical question, nature v. nurture, mc-case study...
> My assumption is that beancounters calculate that the cost of those disgruntled punters taking away their business is less than running a decent customer service department
Definitely. Also the crowd has a very short memory (days). So no matter what you do to them, they will quickly forget and you can catch them back with your next advertising campaign. No harm done.
Also agree about contact information: Companies indeed don't want to be bothered, so they create this obstacle course to hide the fact there is no way for the masses to contact them. They consider that anybody who really has to contact them already has the required contact information, the rest is just annoying background noise...
It's pretty much guaranteed nowadays that registering to get something for free (or even just cut price) would mean that one's name and private parts will thereafter make the rounds as a potential sucker. One might even sit down one day in a public loo to find one's name and number engraved on the door because of it.
Frankly, this doesn't reflect well on Creatorsphere.
This post has been deleted by its author
Do you need to enter an email address to enter McD prize draws?
Thought so. They track your location by monitoring your burger consumption. Just a 'loyalty card' dressed up in a top hat and tails.
I've seen a few draws recently, on crisp packets and drinks bottle, that require an email address before you can enter your 'lucky code number'. No thanks.
I found a security bug (a biggy) with virgin money's android app.
They told me to post the bug ONTO THEIR PUBLIC TWITTER FEED so they could deal with it.
i said no.
They said ok send it to <generic customer service email box>
I said no.
They said they don't have a security/programming team that can be contacted.
So the bug remains unfixed and stupidly exploitable.
"I found a security bug (a biggy) with virgin money's android app. They told me to post the bug ONTO THEIR PUBLIC TWITTER FEED so they could deal with it."
Hey, if that's how they roll...
Someone signed up for an online service using my email address. I tried to get off their mailing list, and finally opened a support case and explained the problem: how can we remove my email from this other guy's account. Support replied that the only way is to delete the account, but that will lose any paid content. Step by step instructions with screenshots.
I replied back thank you, I followed your instructions, reset this guy's password, and deleted his account. Jeff whoever you are, I apologize. CreativeLive are bloody idiots and I ran out of crayons.
I had similar with Netflix, they insisted that I had an account with them and that I signed up with them despite me never having done so and having never gone through any email verification process but was still receiving account emails. Then they stated that because I didn't have an account with them that they couldn't talk to me or provide support... /genius