Is it usual to disclose (what appears to me to be) a vulnerability with massive potential for exploitation towards disastrous ends, before the developers of the software have shipped a fix?
I guess I'm curious as to what the norms are around disclosure of such discovered vulnerabilities are in general.
It's a hot topic of debate. Some people advocate for full disclosure, which means tell everyone as soon as you find it. The idea behind that is that attackers might have already found it and be exploiting it, so people should know in order to protect themselves. Others advocate for coordinated disclosure (sometimes called responsible disclosure, a controversial term[1]), with some sort of time limit. Google Project Zero does that with a 90-day time limit, with some exceptions to extend it or reduce it[2].
You have a point. I initially misread the article as suggesting that the entire DB from other sites was leaked.
Still though:
> Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified. Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts.
I guess I'm curious as to what the norms are around disclosure of such discovered vulnerabilities are in general.