While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I’m personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn’t believe it hadn’t been exploited already.
I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.
This is the story of what happened when I tried to do the right thing.
You must log in or register to comment.
I reported a vulnerability at work when I found out I could make transactions on our system look like someone else made them.
No reply for 6 months, then, when I was in a new department they asked if it was still a problem. I told them I do not think it was fixed but I don’t work there anymore so they closed out the ticket.
🙃
How the hell can a lawyer seriously argue that you were wrong to report to the relevant authorities? That’s not their call.
I had a similar experience many, many years ago – before the rules for vuln embargoes were formalized; and I wasn’t even a security researcher. I was just a techie who discovered that the broker’s staff were resetting anyone’s forgotten password to the same temporary word. And like in this article, they had no mechanism to force users to reset the temp password on next login to something unique. I’d asked to have my password reset at some point, having forgotten it, and upon logging in with my user ID accidentally swapping two digits, found myself in someone else’s brokerage account, with substantial funds staring me in the face! And, their email and personal details.
I disclosed the issue to the broker, but out of paranoia, did it through a throwaway email account, from home, not work (I should’ve used a VPN, but back then I wasn’t as aware of such things). From that throwaway email, I also notified the person whose account I’d accidentally logged into, urging them to check their account and contact the broker to ensure no one else might have gotten into their account.
A day or so later, I got a call at my work phone from someone at said broker, asking if I had seen any unusual activity on my account, and that they had seen some suspicious activity from our company’s network (remember, the accidental login to the other person’s brokerage account occurred at my work PC)… I suspect they were fishing for info pointing to my being the one who accidentally accessed someone else’s account. I played dumb, as the call did NOT have good vibes; I could sense they were looking for a ‘hacker’ to scapegoat, not calling just to inform people there was a problem.
Thank heavens I didn’t reveal that I knew anything about the vulnerability… I had just reset my password, nope nothing unusual here, nosirree… but within a day or two their password reset procedure had been changed for the better and emails were sent out stating that a ‘security incident’ had occurred.
Lesson: Do NOT trust that your security report will be taken as being helpful. Most companies will try to throw you under the bus if they can, to save face.
The influential people in society have demonstrated and set the examples for everyone to never admit a mistake, and if you cheat or hurt someone, to blame them, and to assassinate their character. Lie, trash their character, accuse them of cheating you, etc.
It works too, people trust the more successful party. If you are some lower wage client of a company, and they are a successful internet company, people will give that company the benefit of the doubt. They will believe the rich guy that cheated you in his slander to make you the bully.
Tbf, that’s most business asset security SOP.
That’s a crazy story. Glad you didn’t get caught up in their incompetence. Do you still do business with them?
Nah, once I moved jobs and started holding nontrivial amounts of retirement and TFSA stocks I opened accounts with a new broker.
Similar experience here. Some companies just want to pin a scapegoat should they be held liable. Others are just assholes from top to bottom.
You did your due diligence. You almost got burned. Decide for yourself if it’s worth it next time. Not every act in good faith receives a good response.
Apparently the threats are still sufficiently strong that the author dares not mention the company’s name :/
I mean it’s obviously DAN isn’t it? Who else insures divers?
Disgraceful, old-fashioned actions from the unnamed diving
certifiersinsurer - and, as the major diving insurance company (based in Malta) is DAN World Insurance Group SP, it’s clear that DAN puts their reputation above child safety.(edited out misdirected finger pointing)
I would add that I’m not sure 30 days is “generous” given that 90 days is somewhat standard, but given that it took only two days for a lawyer’s threats to arrive that’s not too relevant.
It is a “Diving insurer” not a “diving certifier”. This is likely DAN, since he is a PADI instructor and PADI pushes DAN.
You’re absolutely right, I’ll edit my comment. Thanks for the catch.
