So I have a small web app I made. I didn’t really advertise much because there’s a lot of things I wanna fix in it and I don’t have the time. But I did tell a few classmates about it.
Last few days I noticed it had been running slowly. Until one day it just stopped working. I checked the server logs and there was a background worker trying and failing to insert some data into the db on loop because of a bug I didn’t notice. The data it was trying to insert was spam so I knew this was an intentional thing. I took the server down and in the process accidentally deleted all the logs. Oops.
So I go and check the database and the user who inserted the spam data used their actual email. I google it, find their GitHub, their twitter, and their fiverr which has their actual name and picture. I search their name in my university system and find them. It’s someone I don’t know. Someone who heard from a classmate I told about it.
Fixed the bug now, banned the account, removed the spam. I guess you could say they did me a favor catching the bug but they could’ve just told me about it lol.
The only question left is: should I contact them? Send them a subtle 'I know what you did" message on the uni portal?
The logs were deleted, sounds like there isn’t any proof left.
There is. The db entries are still there, linked to their username and email. I’m not gonna report it obviously. That’d be silly
But can you prove those db entries were created by that user?
Why would it be silly? Someone attacked your website. Even penetration testers with benign intentions can’t do that without an explicit consent from the owner.
Good point. The db entries are linked to the user, but I guess one could argue that was changed after the fact. The db logs are still around but that might not be enough.
I don’t know. I just feel like it would be an overreaction. Especially since they technically exploited a bug in my own code.
This person was being an asshole. Let’s be clear. They didn’t inform you of a bug they found. Instead they just wanted to destroy what you made for the fun of it. Let them face some reprecussions for once. At least it’ll teach them to cover their tracks better.
Yeah that’s called an intrusion, hackers do that and it’s illegal. If you accidentaly leave you house door unlocked is it your fault if someone trashes your house?
Report them, no damage was done and it’s a relatively minor thing so I wouldn’t expect grave consequences, but maybe this person will be more more responsible in the future.