7

I've found a data leak in a fairly well known password manager. I'm currently in talks with the developers to get this corrected. However, in proving that this is a bug I stumbled on a users data which is freely accessible to anyone. All it requires is a simple google search and you can view the data.

Given that I have seen many people in the US (where I currently reside) be prosecuted for simply pointing out security flaws, should I email this random person and tell them that their data is out there for the world to see?

Improve this question
4
  • 4
    This seems more like an ethical and/or law question, depending on why you ask. Commented Sep 30, 2015 at 5:19
  • 6
    If you want to do right with no chance of punishment, use Tor to set up an email account on myway.com (no phone or second email required) or similar email service and email the victim. There is little chance the 3-letter agencies could locate you and absolutely 0 chance they would care about doing so. Commented Sep 30, 2015 at 5:49
  • 1
    I do not think it is your responsibility to inform these users. Since you're already in touch with the developers, I'd recommend to make a suggestion to them, to inform their clients that client data might be stolen. Commented Sep 30, 2015 at 6:01
  • 1
    I'm seeing news now on Twitter possibly about the same program. I hope everyday users dump it before it causes them harm. Too late for some already, so it seems, and that is a shame. Commented Sep 30, 2015 at 11:46

1 Answer 1

Reset to default
1

You did the right thing in informing the developers that their product is flawed.

Now, whether to inform the user whose passwords you accidentally discovered, that's up to your ethics. It seems like an important breach of security, so I probably would do this.

If you choose to report the breach to the user, you can do it anonymously. You could send a message from a throwaway email account as I think there's very little chance that the user would try to prosecute you. (You probably had a greater risk of getting sued by the developers.) If you feel paranoid, and would prefer to go fully anonymous, just run a live Tails CD and from there send an anonymous email via Sendy.

Improve this answer
1
  • 1
    This is pretty much what I thought, but I figured it doesn't hurt to get the general opinion. Thanks! Commented Sep 30, 2015 at 16:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.