If in doubt, put a catputer photo. Cats always look fabulous.
Update: It seems that error-cat has gone now. In resume, anybody could download a list of all people eating at this restaurants, their telephones, addresses, pastry preferences and last four numbers of their credit cards. Am I right? It seems that entering a single telephone they obtain a dozen of diferent users. Is a sort of wildcard or something?.
Wouldn't be much better to talk with Panera Bread directly?
Why would you assume a security researcher who put in that much effort and kept the pastebin mostly anonymous didn't put in the effort to contact Panera Bread?
Is there a reason you automatically assume that the security researcher is irresponsible, but companies, who almost daily, have data breaches, are responsible in these scenarios?
"Hey, maybe you should contact the company?!" Thank you captain fucking obvious.
Because there is not data that specifies the opposite in the link (and extra info was lacking when I wrote it), thus is a reasonable and logical first thing to check.
> Is there a reason you automatically assume that the security researcher is irresponsible...?
Please, don't put words in my mouth. I didn't called irresponsible anybody and I didn't automatically assume anything. To be honest, I couldn't care less about who, if one, has the responsibility here. I'm trying to learn something. Not more, not less.
Captain fucking obvious is a nice title. We'll have a safer world when people start paying notice to a lot of fucking obvious and boring things. This reminds me a lot to the outrageous lexNET case (that was much, much, worse than internet knowing who has a sweet tooth for buns).
Apparently he tried talking with Panera directly. First contact was 6 months ago. The vulnerability still exists so he decided to release it publically. I think that's reasonable.
It wasn't fixed immediately after release. Apparently all they did at first was:
1.) Take down site for 2 hours
2.) Require logins to access api.
3.) Get on fox news and say it's "fixed"
...
then we come to find out you can still access all data from the API once you login
I certainly have a few open reports to companies that I've been trying to reach for, in several cases, _years_. Or, in other cases, I found something but trying to reach the right person is nigh impossible. security@ bounces, general support is useless, no one responds on linkedin, no one responds to direct emails, pinging them on twitter does nil. Extremely sad.
Update: It seems that error-cat has gone now. In resume, anybody could download a list of all people eating at this restaurants, their telephones, addresses, pastry preferences and last four numbers of their credit cards. Am I right? It seems that entering a single telephone they obtain a dozen of diferent users. Is a sort of wildcard or something?.
Wouldn't be much better to talk with Panera Bread directly?