So I have a small web app I made. I didn’t really advertise much because there’s a lot of things I wanna fix in it and I don’t have the time. But I did tell a few classmates about it.
Last few days I noticed it had been running slowly. Until one day it just stopped working. I checked the server logs and there was a background worker trying and failing to insert some data into the db on loop because of a bug I didn’t notice. The data it was trying to insert was spam so I knew this was an intentional thing. I took the server down and in the process accidentally deleted all the logs. Oops.
So I go and check the database and the user who inserted the spam data used their actual email. I google it, find their GitHub, their twitter, and their fiverr which has their actual name and picture. I search their name in my university system and find them. It’s someone I don’t know. Someone who heard from a classmate I told about it.
Fixed the bug now, banned the account, removed the spam. I guess you could say they did me a favor catching the bug but they could’ve just told me about it lol.
The only question left is: should I contact them? Send them a subtle 'I know what you did" message on the uni portal?
I’d personally suggest sending an email to one of your profs about noticing potentially malicious network activity that originated from a fellow uni student with your attached proof.
In that same email you could ask them what’s the proper procedure for the circumstance you’re in.
I feel like this is the best option.
OP shouldn’t even TRY to take matters into their own hands.
Document rigorously and then send all documentation to the designated people.
Then document who you sent it to and hold onto backups
so that if they try to turn it around on you, you can dump all their dirty laundry out into the openWhat are you doing here with your thoughtful and well-reasoned replies? This is the internet, we’ll have none of that kind of thing around here! Just because this is absolutely the right course of action doesn’t mean you can be promoting this kind of calm and unsensational behaviour!
The logs were deleted, sounds like there isn’t any proof left.
There is. The db entries are still there, linked to their username and email. I’m not gonna report it obviously. That’d be silly
But can you prove those db entries were created by that user?
Why would it be silly? Someone attacked your website. Even penetration testers with benign intentions can’t do that without an explicit consent from the owner.
Good point. The db entries are linked to the user, but I guess one could argue that was changed after the fact. The db logs are still around but that might not be enough.
I don’t know. I just feel like it would be an overreaction. Especially since they technically exploited a bug in my own code.
This person was being an asshole. Let’s be clear. They didn’t inform you of a bug they found. Instead they just wanted to destroy what you made for the fun of it. Let them face some reprecussions for once. At least it’ll teach them to cover their tracks better.
Yeah that’s called an intrusion, hackers do that and it’s illegal. If you accidentaly leave you house door unlocked is it your fault if someone trashes your house?
Report them, no damage was done and it’s a relatively minor thing so I wouldn’t expect grave consequences, but maybe this person will be more more responsible in the future.