So I have a small web app I made. I didn’t really advertise much because there’s a lot of things I wanna fix in it and I don’t have the time. But I did tell a few classmates about it.
Last few days I noticed it had been running slowly. Until one day it just stopped working. I checked the server logs and there was a background worker trying and failing to insert some data into the db on loop because of a bug I didn’t notice. The data it was trying to insert was spam so I knew this was an intentional thing. I took the server down and in the process accidentally deleted all the logs. Oops.
So I go and check the database and the user who inserted the spam data used their actual email. I google it, find their GitHub, their twitter, and their fiverr which has their actual name and picture. I search their name in my university system and find them. It’s someone I don’t know. Someone who heard from a classmate I told about it.
Fixed the bug now, banned the account, removed the spam. I guess you could say they did me a favor catching the bug but they could’ve just told me about it lol.
The only question left is: should I contact them? Send them a subtle 'I know what you did" message on the uni portal?
I’d personally suggest sending an email to one of your profs about noticing potentially malicious network activity that originated from a fellow uni student with your attached proof.
In that same email you could ask them what’s the proper procedure for the circumstance you’re in.
I feel like this is the best option.
OP shouldn’t even TRY to take matters into their own hands.
Document rigorously and then send all documentation to the designated people.
Then document who you sent it to and hold onto backups
so that if they try to turn it around on you, you can dump all their dirty laundry out into the openWhat are you doing here with your thoughtful and well-reasoned replies? This is the internet, we’ll have none of that kind of thing around here! Just because this is absolutely the right course of action doesn’t mean you can be promoting this kind of calm and unsensational behaviour!
Bring your evidence to the CS Professor. See what they think.
Yeah generally it’s in bad form to mess with other people’s projects without their permission at university. CS Professor probably won’t be impressed.
Agreed. Mostly because there’s a risk that individual will continue down the offensive security route without guidance and end up a blackhat.
Removed by mod
It’s a hobby project. I’m an amateur dev I know. I’m not even mad at them, they helped me catch a bug. Cool ur tits
FYI, the comment got removed
Bugs happen, but that person was exploiting them maliciously.
Do You have the usual friend that loves punching people? You know… Great friend but drinks and is always getting into bar fights?
the usual friend that loves punching people
Very fucking usual
Do you have friends like that?
Just ask him why he did it and how he found out about it and that he should just notify you instead of exploiting the bug.
Anyone could have used that email to insert spam. Unless you use confirmation emails?
Well, if you don’t, you have nothing. If you do use confirmations, then just tell the police.
I do.
