What would you do?
I have been tinkering with the API of a pretty popular web service and I discovered that the email address of every user is easily mined from the site. The issue I have is that they say that they do not disclose any personally identifying information but by combining different API calls you can trigger a disclosure of user email addresses. It looks intentional as well.<p>I am in the process of writing code that will allow anyone to harvest the email addresses but I do not want to make it public. Is the public disclosure of email addresses a problem or just something that I am worrying about for no reason? I feel like businesses should be more careful about how they treat customers and how they treat customer data. While it might be the case that they have a vulnerability somewhere, in that [the email address of every user is easily mined from the site], there are few reasons to [write code that will allow anyone to harvest the email addresses]. Yes, [businesses should be more careful about how they treat customers and how they treat customer data], and I agree you should submit some sort of proof-of-concept to the web service, privately, to improve [how they treat customers and how they treat customer data]. Yes, I would definitely keep it private. How could I say I cared about the disclosure of personal data and then disclose it? Thanks Solo3. You should probably email them first to check that they are aware of the issue or if indeed it is intentional. If it is, and it is not mentioned in their T+Cs or anywhere on their site so that their customers are aware that their affiliation with the service can be discovered easily by third parties then I would consider it a problem.
In this case I think disclosing the company name so that its customers are informed is not an issue but I would not release the tool to get the data.