1. They haven't disclosed anything of use to an attacker.

2. According to the post, Hive responded and said the issues had been fixed. Obviously they haven't, and at this point OP seems to have decided that the most responsible thing to do was to warn users of the platform that they aren't safe.

I don't really see a problem with this.

> 1. They haven't disclosed anything of use to an attacker.

I also don't believe this is "responsible" disclosure, but I also don't think it's fair to say this information is of no use.

To me this clearly signifies that there is no back-end authentication on their API. The whole app is probably written in JS with a simple database on the backside with no serious middleware on the server side. It would probably not be difficult to reverse engineer this hack by monitoring requests using simple dev tools, and then simply replaying them with altered content.

If that's the vuln, then they were going to be cracked wide open by half the script kiddies on the planet as soon as they got any sort of adoption.

That is precisely what you are seeing here.

I wouldn't call Zerforschung script kiddies, though.

Where does it say Hive claimed the issue had been fixed? I think you misread it.

"After multiple days and multiple reminders by us, they claimed to have fixed all issues."

It says "After multiple days and multiple reminders by us, they claimed to fix them within the next two days." now.

They don't offer a guide or any details about the exploit, this isn't really disclosure in the normal sense. Aside from any possible alterior motives the author may be just trying to light a fire under hive social's ass to get it fixed.

In kindness and for future reference, the word you're looking for is spelled "ulterior".

So, not disclosure from a security ops / policy perspective, but it is 'disclosure' this the equivalent of a 'here be dragons' comment on a map ... an endorsement for the 'curious'

This isn't disclosure