A security researcher describes gaining full access to the production database for Imgur’s image-sharing site — and then successfully lobbying the company for a higher bug bounty of $5,000. Nathan Malcolm says he exploited a remote-access vulnerability in one of Imgur’s unprotected development servers to read their /etc/passwd file, and also keys.php, which contained the credentials for their MySQL servers. An anonymous Slashdot reader quotes Nathan’s article on Medium:
An important part of security research is knowing when to stop. I went far enough to prove how serious the issue is, and demonstrate what a malicious attacker could do, while not being overly careless or intrusive… I hope other teams can learn from Imgur’s willingness to take on feedback and improve, as communication around security is so very important.
Imgur’s founder and CEO sent him a personal e-mail along with the bounty, which ended “Thanks so much for protecting us and properly reporting it to us.” The author of the article reports that “I’ve continued to participate in Imgur’s bug bounty program, and while it’s not perfect, it’s responded and paid out nicely to myself and others.” And the $5,000 bounty? “Half of that went to people in need, including Lauri Love, a hacker facing extradition to the United States, and a close friend who was recently made homeless. Various charities and researchers also benefited from it.”
Read more of this story at Slashdot.