A Dublin teen has discovered a flaw in an online takeaway website which allowed him to access their customer data.
Computer whizzkid Jack Kelly (18) was on Marvin.ie when he said he decided to “have a look around the site”.
“I spotted the vulnerability during a manually scan of the site. It was a minor weakness but I had the capability to make the flaw more serious. I had access to all customer data including phone numbers,” he said.
Rathfarnham-based Jack currently works in the building trade but has ambitions to make a living as an independent security researcher.
Taking “an ethical approach”, the young man reported the issue directly to the Irish startup when he first spotted the bug on Friday, May 18.
“My query was forwarded on to the tech team and their CTO contacted me the day after, on Saturday, and said he was investigating. He couldn’t find the bug immediately but I walked him through it.”
“He said he was meeting with the CEO on Monday to discuss the incident and a potential reward. In my initial letter I said that I was looking for opportunities in the field and the CTO offered to write me a reference for my future job search in this sector.”
Marvin.ie told Independent.ie that their general backend system had been “briefly breached” by someone using “a complicated scripting method”.
“That individual proceeded to communicate with us directly and assisted us on fixing this particular bug,” a spokesperson for the firm said.
The company agreed to pay Jack a total of €300 for helping them spot – and fix – the flaw in the system.
“It is common for tech companies to offer bug bounty programs to security researchers and programmers when such bugs are identified and reported, and in this instance, we offered such a reward,” said the Marvin.ie spokesperson.
The firm said that they take the protection of their customer data extremely seriously and that they worked through the weekend to ensure the bug was fixed.
Marvin.ie also said that they were satisfied that their customer’s data remains safe but that they have notified the Data Protection Commissioner (DPC) of the breach.
The office of the DPC told Independent.ie that they had not received notification of the breach prior to the release of the Marvin.ie statement.