• kitnaht@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    ‘hacked’. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.

    • just_another_person@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Yeah. They got data in a way that was not intended. That’s a hack. It’s not always about subverting something by clickity-clacking like in the movies.

      • kitnaht@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        6 months ago

        Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.

        It’s the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn’t (SQL injections, etc) – the other, is using the system exactly as it was programmed.

        Downloading videos from YouTube isn’t “Hacking” YouTube. Even though it’s using the API in a way it wasn’t intended. Right-clicking a webpage and viewing the source code isn’t hacking - even if the website you’re looking at doesn’t want you looking at the source.

          • ___@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            A system fault is not the same as a vulnerability. These would have different baseline CVSS 3.1 scores, with the temporal and environmental reducing over time. A medium/low at best for a public endpoint exposing PII.