How “big” is this company?
How would I know? 
Now thats something I keep in mind since the beginning and really hope its not the case…
So far their support seems to be somewhat understanding and forgiving and really hope they stay that way
1 Like
Someone should really be hiring you for this stuff mate 
Im actually currently working in the cyber security field
8 Likes
Sounds like a very basic cPanel setup with not much effort put into it. Pretty sure that even the very default settings on CloudLinux will stop all of that?
2 Likes
Yep they do. Hence why I am interested in finding out who they are lol.
1 Like
You may be surprised how often a company’s response to a security report is to have their lawyers draft up a cease and desist letter, and sometimes even send you an invoice for the time they spend fixing the issue. Some companies just don’t understand that people finding holes in their infra and reasonably reporting them is a good thing, and the amount they pay in bug bounties is likely miniscule compared to the amount they’d need to spend to recover from a major breach.
2 Likes
Something like 5 billion dollars by comparison?
4 Likes
So what happened? 
The issue reporter should be the one sending the invoice.
2 Likes
So what happened in the end is that I let them know through Telegram that I can see information of other clients on the same server, and they replied that they will take a look on this (I didn’t even provide any info, just straight up said that I can see information of other users, probably because of miss configured permissions).
Fast forward a day, They haven’t replied yet, I try to see the same directories that I could see until the previous day, and boom, I cant.
They havent replied on Telegram, so I hit them up with a message asking if they have any update on this matter, and they reply with “Can you provide some screenshots of what you can see?”.
I inform them that they must have made some changes as I now dont have access on these directories, and they say:
“We did nothing
There was such an issue, but a month or 2 months ago”
I haven’t really understood whats up with that… Did the server change some stuff itself? Are they lying? Was it an autoupdate that fixed this? I cant really know. The thing is that now I cant access the same things I could access before I messaged them.
Everything ended with “Anyway, thank you for your report!”, which I guess is Good?
2 Likes
Sad fact of the story is that I actually went ahead and downloaded some things from other clients when I first discovered this, just to have it as proof that I could actually access their directories, and Literally 2 days before I messaged them, I formatted my drive (SSD) because Windows couldn’t read it (previously used with Linux Mint)… and there goes my proof…
Really? You downloaded other people’s files? Hmm…
Screenshots or a quick screencapture video would have sufficed as proof in my opinion.
4 Likes
And you have likely broken the law by doing so, good job!
2 Likes
It was actually an auto configuration grabber. The files I grabbed contained database usernames and passwords. Not that this makes it ok… But yeah, I actually searched for my configuration file, and somehow saw everyone’s else’s too…
I’m not sure what that means.
Makes it worse. You shouldn’t have stored it as proof. If you didn’t know what it was and somehow accidentally grabbed it, the first thing you should have done when you realized what it was would be to delete it.
Run an extra pass for good measure!
4 Likes
Too honest in my opinion 
1 Like