Testing/Evaluating/Disclosing an exploit isn't immoral in my mind, nor should it be illegal (in a perfect world).
Disclosing private details of third paries is certainly immoral in my mind, and should be illegal.
According to this logic publishing the exploit, so long as you're censoring output, is fine. If someone uses your exploit to download personal data, it's AT&T who is doing the immoral/hopefully-illegal disclosure. If that someone uses your exploit and then publishes the data or does some other naughty thing with it, book 'em.
You get moral brownie points under this logic if you notify the target after you discover the exploit. It's not required, because disclosure is notification. Nefarious-types aren't going to call up a bank to say "hey, we're stealing all your customer records", nor will they disclose this hole to the world.
Unpopular statement ahead: if you collect personal details, it's your job to secure your systems, and it's your fault if your systems leak them. Of course there's no such thing as 100% secure, but you're the one doing the risk analysis and design.
> It's not required, because disclosure is notification.
In this case it doesn't entirely work because it is trivial to recover in the information (so the disclosure/fix is hour sensitive rather than days sensitive)
Also, in Full Disclosure it is accepted ethical practice to notify the affected vendor and give them a reasonable time to fix it (In this case... I'd give them 2 days).
It is also very definitely not ethical to hand the data you got to the media. :)
Evaluating an exploit, unless sanctioned by a bilateral agreement between both parties (like in pentesting), is in fact illegal in most countries. Disclosure without proper notification of the affected parties can also lead (and sometimes does) in a lawsuit against you.
I don't completely agree, but it's the prevailing point of view (and/or law) at the moment.
Testing/Evaluating/Disclosing an exploit isn't immoral in my mind, nor should it be illegal (in a perfect world).
Disclosing private details of third paries is certainly immoral in my mind, and should be illegal.
According to this logic publishing the exploit, so long as you're censoring output, is fine. If someone uses your exploit to download personal data, it's AT&T who is doing the immoral/hopefully-illegal disclosure. If that someone uses your exploit and then publishes the data or does some other naughty thing with it, book 'em.
You get moral brownie points under this logic if you notify the target after you discover the exploit. It's not required, because disclosure is notification. Nefarious-types aren't going to call up a bank to say "hey, we're stealing all your customer records", nor will they disclose this hole to the world.
Unpopular statement ahead: if you collect personal details, it's your job to secure your systems, and it's your fault if your systems leak them. Of course there's no such thing as 100% secure, but you're the one doing the risk analysis and design.