You should think about sending an email to all of your users. I realize its a tough call pointing out a problem so early but it might also be a good way to garner user's trust.
"Whoops, we disclosed everybody's AWS credentials. I know! Rather than tell our users, I'll wipe the database and remove all evidence of it ever happening."
It's not helpful, it's realistic. My exact wording was "your time will be better spent elsewhere."
We each have 24 hours in a day. I spend 8-9 of mine sleeping, 9-10 at work. That doesn't leave much leftover for me.
If zacharyvoase wants to spend his precious free time educating people who haven't done any due diligence to learn how to build a secure web app, that's his prerogative. But I don't see it as a good use of his time - there's already tons of resources out there that will do a better job than zachary. Is HN supposed to be a newbie education destination?
That's your response to someone (admittedly, poorly) discovering and reporting a security vulnerability in your application? Telling him to "be nice" then dropping his e-mail and face as some kind of stick-waving, threatening gesture?
Congratulations on demonstrating to me and countless others why I shouldn't use any product that you EVER touch. You don't get a pass because you're just two nerds. You have a form with a submit button -- that's where your responsibility as a founder and custodianship of user data begins. Day 1, you're already a liability.
I realize this is a pretty direct attack but I'm appalled and staggered by your behavior in this thread. You launched a service on the public Internet. There is no grace period, there is no "friendly fire"; you fucked up and you disclosed AWS credentials. Not users' favorite colors. AWS KEYS. Tied to credit cards, running servers, S3 backups, God knows what. You don't get to tell people to be nice to you when you're acting as the steward of AWS credentials; you protect them and act like you care when someone tells you that you fucked up doing so.
Your behavior here is just foreboding for the future, and you need to realize that before launching your next endeavor (this one is probably done, after that little mess).
This wasn't some exotic exploit either. Public, numbered (1,2,3...) accounts, all of them editable - it's almost funny. Can you imagine what other security problems exist in the code.
EDIT: Guys, don't downvote smeagle's comments. If anything, we should be upvoting them as much as possible so that others can see this blatant disregard for their users
---------
You are quickly making the case for having one of the worst responses I've ever seen, to a huge security flaw. Trying to wipe things under the rug when your users information is clearly exposed is an easy way to destroy trust.
I seriously can't fathom the ineptitude it takes to direct people to someones email like that over your glaring mistake.
Classless. Come on Khang - everyone here wants to root for their fellow entrepreneurs, creators, and (self-proclaimed) "nerds".
RKearny pointed out a very real, very important issue that will help you make your service better, and help you deliver even more value for your users. And he did it for free! You should be thanking him and asking him for more feedback, not deflecting responsibility like this.
ryan's info is public. he put it on our feedback forum. i wanted to make sure everyone was aware of his public info since we (as well as others) were very concerned with his course of action and questionable statement "Still managed to get a few dozen AWS keys though."
i'm not sure why thanking him is in order... ?
5 people emailed me privately about the security issue. we fixed it promptly, and followed up with instructions to everyone exposed (~20) on how to protect their credentials. i haven't yet heard a complaint from our actual users.
you and i know that saying "~20" is a random number since you had nothing in place to track it. i'd love to hear how you know it's 20. seriously. tell us.
I can search for email addresses too! Don't direct users to me because you failed to secure your web application.
It's nice to know someone who works at a company that handles credit card and bank payments would just post someones email address and photo. Granted this is all public since I posted on the Uservoice post, it was still unnecessary.
If you were a company, you'd have insulation against lawsuits. Two nerds mean you and your family's assets are at risk; launching an app with such a spectacular security hole seriously puts the two of you and your families in danger.
The only thing you are right about is that WePay is terrific and I am glad you are not associated with them. How difficult it is to owe up to your mistakes instead of shooting the messenger?
@smeagol. First of all you fucked up. So stop acting so high and mighty and apologize to rkearney and everyone else who even thought about signing up for your product. Secondly, if this was just meant for you and your friends, don't go public with it and post it on HN. I highly recommend another hobby in a different field because clearly this one doesn't agree with you. Lastly, please stop calling yourself a nerd.
The best part of this whole catastrophe is that this app isn't just embarrassing for smeagol, but it is playing out HN, YC's main advertising venue, and it undermines the whole concept of these MVP summer vacation startup companies, showing that 2 guys a garage can't launch a minimally provisioned website.
if anyone's concerned about your AWS key, just destroy your IAM user and create a new one. that's what it was designed for.