Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow you weren't kidding. These are vulns that would have been embarrassing a decade ago.


I think the timeline is the more damaging part too. Not only was their design woefully inadequate, they don't seem to care.


I used the app briefly a few months prior to their discovery. The app was riddled with bugs. Things like chats not loading (received the push notification, but in the app not visible until force quit/reload). I’m not surprised it took them so long to remediate. I would guess a shoestring contractor dev team.


This is what happens when both founders are not technical. I use the app and it was obvious from day one it’s been designed and implemented by the lowest bidder.


Not necessarily the lowest bidder. It's quite easy for a consulting company that is bad at development to make a convincing pitch to a nontechnical founder as long as they're better at sales than they are at development.


Replace ‘founder’ with organization


The founder used attend node.js events in London. Not sure why you think he’s non technical.


Because a technical person would immediately find all of the glaring flaws and issues with their app and fix it promptly. Unless they’re incompetent. Which might be worse than non-technical.


Attending node.js events does not mean you are technical. A lot of people, I would say most people in my experience, go those events to connect with technical talent.


The problem is they probably don’t have full time developers. They probably built the app once years ago via a dev shop and then never updated it again. The talent moved on and updating it is expensive now.


Cost minimizing aligns well with the criminal-negligence theory. In fact every egregious security issue I've come across, like plain text passwords, public S3 buckets, publicly-accessible internal tools... it all directly correlates to being cheap in my experience.


They had turnover of £39m last year and profits of £5.5m (double the previous year, quite good for a UK business of this scale). If they don't have full time devs it'll be shocking, certainly had the money to sort crap like this out


They (or someone they hired) actually rewrote their whole app about a year ago, I remember seeing lots of people complaining about how much worse and buggier it got after the rewrite.

I have no idea if the back end was also replaced then or if the vulnerabilities were present in the previous version as well.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: