Reading this article feels like seeing somebody you don't particularly like get pantsed, but feeling bad for them because the person pantsing them is an even bigger idiot. Like Monster is not in tech. In any regard. I'm sure that they contract for 100% of their development.
I do dev & IT for a <25 person company in ecommerce. If we had even half of the issues that were pointed out in this post, I'd be telling the owner that he should be looking to replace me. I get that they're not a software company, but these are super basic issues. These issues, coupled with no response to the reported issues, leads me to suspect that the c-suite deprioritized IT to the point that it's a skeleton staff and they can't hire or retain anyone that's even halfway competent. You don't end up with these kind of issues, as a company of their size, unless there are serious management problems. They are big enough that they should definitely have the budget to do basic stuff like auth properly, or at least not make so many 101-level errors.
That said, the author also comes across as a complete d-bag as well. I have about as much love for marketing people as the average software developer, but their description of their average consumer was pretty normal. The author got super-catty about what's a fairly basic description of their average consumer and a stock photo. They aren't saying the only people who drink monster are young white males, just that that is their largest market and the consumer group they are targeting. It does make sense for them to say internally "hey, FYI this is the group of consumers we intend to target with our marketing efforts", and I've definitely read very similar stuff in every marketing proposal I've read, just with different groups.
I wouldn't be surprised if their lack of any response is because they literally have noone to deal with this. They can't seem to fill (or hold) some pretty important IT roles:
Which in turn is maybe because they are unwilling to offer sufficient compensation. You get what you pay for but this time the tables have turned and it's a big corp getting shafted.
This is not a mom and pop shop struggling to keep the lights on. This is a huge corporation whose CEO has a net worth 4 orders of magnitude greater than the median American of his age. He could pay the whole IT department out of his pocket and barely notice.
I’m not sure a drink company throwing 200-500k at a few security hires is going to really do anything. Who is there to validate the quality of these guys?
It's like watching the school bully pants the weird kid who's just really passionate about his interests. It's not tough or cool, really it's just pathetic and sad.
"I violated the CFAA, likely committing several misdemeanors or felonies in the process, wrote up a detailed account of what I did (complete with screenshots), and then posted the account on the internet."
For the author's sake, I really hope they don't live in the USA.
Or Europe. Or the UK. 10+ prison plus civil damages in all three jurisdictions should it be prosecuted for various "Unauthorized computer access" laws. Even just browsing protected endpoints is a criminal violation. Publishing any info is even a bigger crime.
FYI, if you are a hacker:
1. Stop immediately after discovery and don’t go further than the minimal step that proves the vulnerability exists.
2. Document, don’t exploit
3. Report responsibly
4. Do not publish until fixed. Do not publish documents/images without permission.
5. Intent doesn’t erase liability: even “just poking around” can be charged under CFAA (US) or CMA (UK).
Products like this don't just appear in gas station coolers by themselves, they would have started by identifying a demographic first and then building a product specifically targeted to that audience. They decided to target younger-skewing men, and so they made an energy drink that's neon green and called it "Monster". If they had decided to target over-60 women they would have designed the product much differently.
This isn't just a reactive profile of who they think is buying the product, it's the blueprint for the product.
And regardless, I would tend to believe that a highly successful, very pervasive consumer product has at least some fucking clue who their customers are, unlike the random dude hacking their site who appears to think he’s an expert in everything because he understands some tech.
Since most people are lower income, and therefore a high-market share low unit price gas-station drink company like Monster will by definition have to have its largest customer base be from the largest ie: poorer demographic, the only slightly revelatory information is that the demographic is younger, male, and leans Hispanic.
This doesn't imply that people in higher income brackets don't drink it, even most of them (though probably untrue).
Also pertinent is that the data is specified for Monster Green, which is their full sugar product. Monster Zero is a pretty big product as well, and could have a slightly differing customer base.
Haha. White monsters are pretty popular with gen-z'ers in general. A lot of us don't like coffee but still want a hit of caffeine and it's basically pure caffeine with a very mild taste. Other sugar free energy drinks have a much stronger sourness (red bull) or more distinctive flavours. I do love the tropical and coconut red bulls though.
The green monsters are definitely more male gamer oriented, but the white, green, pink, rose monsters etc seem pretty popular with people in my generation who fall outside that male gamer demographic.
Personally I prefer red bull now but as I get older I mostly drink coffee.
Just want to add that all Monster (AFAIK) contains sucralose even if it also has HFCS or other sugar. It's a small amount because it's so potent, so I usually start at the end of the ingredients label when checking if drinks have it. NOS also puts it in their regular drinks. I don't know when they made this change, but I stopped drinking Monster because of it. I used to like the Mean Bean Java Monster quite a bit.
My energy drink of choice these days is Blueberry Red Bull, in case anyone else is looking for an option that tastes better.
Also some brands like Rockstar put it in half their flavors, so you gotta check every can. Even though Killer Citrus is safe (as of 5+ years ago when I last looked anyway), Killer Grape isn't, despite both being of a similar subtype.
I've never seen reliable data suggesting that sucralose is harmful. Could be wrong. If you wouldn't mind giving sources, that would be helpful. Or is it just a personal sensitivity? Don't mean to pry. I'm just curious about the issue.
It just tastes disgusting to me and ruins anything it's in. I have a long history of avoiding certain foods/ingredients (e.g. onions) so I was already somewhat used to reading ingredient labels before deciding if I should consume things and being a bit picky generally.
From another angle, I think it's quite shady and dishonest of them to mix artificial sweeteners into non-diet drinks and not make it clear. If someone sells sugar free drinks and not-sugar-free drinks, they shouldn't both have sucralose.
I have heard certain artificial sweeteners kill your gut bacteria, but honestly I don't care much about that. If I heard that about sugar, I wouldn't start avoiding sugar.
That makes total sense to me. I've avoided onions most of my life. More saliently, I agree that it's off-putting to hide the inclusion of artificial sweeteners. Thanks for your response--I appreciate it.
It is highly irresponsible to disclose security vulnerabilities publicly, and in some jurisdictions it may even be illegal.
While I understand that the author attempted to contact Monster without receiving a response, publishing details of the vulnerabilities and how to exploit them only puts users at greater risk. This approach is reckless and harmful.
It is common practice to give the company sufficient time and communicate, and then release the details once the vulnerability is patched. But it’s also common in practice to disclose the vulnerability after a set period of time if the company does not engage in any form of communication and refuses to patch the vulnerability. In this case they didn’t engage in any form of communication and then partially patched the problems. Nothing out of the ordinary here.
What _isn't_ common practice is actually copying and posting company material on your blog. Just because a door is unlocked does not give you the right to take materials & post them.
I have seen this in practice for vulnerabilities that affect many users of some software. If some Hackermann finds that Microsoft Windows version X or Oracle Database server version Y has a security flaw then disclosure is virtuous so that people using those can take measures. That reasoning doesn't seem to apply here.
My understanding is this is the standard SOP for security vulnerabilities:
1. Report the security vulnerabilities to the “victim”
2. Work with the “victim” the schedule for mitigation and publication
3. Publicize the vulnerabilities (the security researcher wants his findings to be publicly recognized)
If the victim does not acknowledge this issue it is impossible to execute step 2. So then the security researcher goes to step 3.
If the hacker has the emails sent at step 1 he will be fine.
OP leaked internal business documents as part of their disclosure that had no business being in a disclosure. It looks like minor employee details have been leaked as well, which is very bad.
These companies treat fines as the cost of doing business and every time they lose people's personal information, they get slapped on the wrist and laugh it off while the execs get bonuses for having someone write a tearful apology to appear like victims.
I am happy every time somebody makes enough noise to make them notice and fix it because being polite and legal clearly is not working.
Nah, fuck that noise. If the company reacts to a responsible disclosure notice that's nice but no one is under any obligation to help out mega corps to secure their shit. And the users aren't put at risk by the people finding the vulnerability but by the company not fixing it.
Fuck Responsible disclosure, companies should have to bid on 0 days like everyone else.
One probably should not release information from company they hacked.
On other side, if it is some piece of software immediate disclosure in public is only reasonable and prudent action. It allows every user to take necessary mitigation actions like taking their services and servers offline.
That argument misses the point.
Yes, the company has the primary responsibility to fix their vulnerabilities, but that doesn’t justify recklessly publishing exploits. Once an exploit is public, it’s not just 'the company' that suffers, it’s every customer, employee, and partner who relies on that system.
Saying 'fuck responsible disclosure' is basically saying 'let’s hurt innocent users until the company caves.' That’s not activism, that's collateral damage.
If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
> Saying 'fuck responsible disclosure' is basically saying 'let’s hurt innocent users until the company caves.' That’s not activism, that's collateral damage.
Correct. And I have good reasons for that. Activism has failed, consequences are required. The inevitable march towards the end of privacy due to the apathy of the unthinking majority of careless idiots will only be stopped when everyone feels deeply troubled by entering even the slightest bit of personal information anywhere because they've felt the consequences themselves.
> If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
I could point to probably thousands of cases where there wasn't any accountability or it was trivial to the company compared to the damage to customers. There's no accountability for large corporations, the only solution is making people care.
let's be clear here, though: the root problem isn't someone finding some sensitive papers left on a printer accidentally, it's the person who left them on the printer to begin with. that's the root failure, and damage that results from that root failure is the fault of the person who left them there.
the american system clearly agrees with this, too. you see it insider trading laws. you're allow to trade on insider information as long as it was, for example, overheard at a cafe when some careless blabbermouth was talking about the wrongs things in public.
I contacted the owner of the house I found unlocked and there was no response, so I proceeded to let myself in anyway.
These writeups are Jr. level hacks (I looked through them all). Aside from making the company look bad, you don't really learn much from it because they are so easy.
I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.
> I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.
Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes. Hopefully in all the potential employers' whom you go crying trying to sabotage this guy's career also.
Everyone was an eager junior once. If you weren't, it's your problem, not this guy's.
the security guard of the local mall left the door unlocked when the mall was actually closed, and i saw the mall hours that it was closed, but i went in anyway out of curiosity since i was already there
They should not have done any of this in the first place, let alone disclose it publicly in this manner.
I too did similar things when I was younger, riding high on that feeling of power, and learned the hard way that even attempting to hack something can be considered computer fraud in EU.
I was lucky to not suffer any consequences in the long run.
You can brag all you want about being an "ethical hacker", the law is probablycnot on your side - especially if you publish incriminating evidence in the form of an immature post like this.
Ethical hacking requires prior authorization from the organization you’re hacking. This person is a total clown and is absolutely in violation of the law.
I found this actually to be very cute. It’s awesome that their employees have gamified badges and that the photo of their core customer looks so awesome.
I worked at places with "points" you can give to other coworkers, but no reward. I would love to have traded some of my points for monster merch. This can almost read like an advertisement for working at Monster
Completely irrelevant to the article, but next time you come across one of those internet crazies who think the Monster logo is satanic, you can troll them by pointing out that it is really just an Ugaritic L -- 𐎍 -- and that one of the original names for the Hebrew god was EL so really Monster is a godly drink, not satanic.
The existence of bug bounties seems to have misled some people into thinking that you can just break into any system, and it’s OK as long as you email them afterwards. That isn’t the case. This post is documentation of a crime and the author would be wise to take it down.
Their characterization of their customer base mostly rings true to me. My white teenage kids love the stuff.
Don't know about GenX though. A common definition of GenX is born between 1965 and 1980. Speaking for all GenX males of the world, the stuff tastes overly sweet to me and don't want to risk a higher A1C on carbonated sugar water. Bleh!
I dont actually look like the people from the photos but yes I do imagine this is how I would look like on the rare occasion I decide to get Monster drink lol
Lots of comments about the questionable choices of this person regarding disclosing all this information. To add to the pile, they got a friend fired from McDonalds, and don't seem particularly bothered about it... https://bobdahacker.com/blog/mcdonalds-security-vulnerabilit...
Until companies spend some money on hiring competent security engineers, these attacks will always happen. No one is going to feel sorry for a large corporation that can spend money on marketing but none on security.
Good job, bodahacker. We look forward to your next installment.
Companies like Monster and Redbull are marketing companies that happen to sell energy drinks.
That is almost certainly not a meaningless demographic they pulled out of thin air. It might not be meaningful to you as a demographic. It might even be offensive to you as a demographic.
But, to the marketing company, that is a concrete “group of humans” that respond well to their product and advertising. It informs how they develop their ads, how they target them, which geographic markets they push hard in, what events they sponsor, etc.
When they define that demographic as the people they’re targeting, and allocate their capital towards targeting them, they see the highest returns they’ve been able to find so far.
I think there is a certain beauty in it. Making an effort to understand how the universe/world/society you were born into actually works, not how you’d like it to work, is kinda key to finding your ikigai I think.
It means some people still think there are meaningful racial categories, that people with light skin come from the Caucasus, that speaking Spanish is an "ethnicity" which is orthogonal to "race".
Also Gen X (aged between 44 and 60 at time of writing) are "young".
Avatar or persona is a literal fake person. “This Steve Doe. He works in construction and is 29 years old. He is in a lower income bracket and drinks a monster every weekday with lunch”.
The example in the post is a super generic target market.”gen z, lower income”
You can tell this guy has never worked or interacted with corporate marketing or advertising in any way because their astonishment at identifying their main market segment is standard practice literally everywhere. Lmao.
Focus on the security issues sure, but maybe think a bit more critically about how businesses function.
Go look around at who you see drinking monster and you're probably going to see they're not at all wrong.
For whatever it’s worth, they do have a job opening posted on LinkedIn for a sysadmin whose duties would include resolving that file access issue. Not my cup of tea as far as employers go (I don’t like energy drinks) but it seemed apropos to mention under the circumstances :)
Is it that interesting that I found the comment unnecessarily judgemental and makes a shallow unsubstantiated assumption about the author's demographic/personality?
Oh please - it’s an honest assessment not a personal attack and it’s likely accurate. That you think otherwise says more about you than it does about me.
I prefer honest truth to polite fiction.
It’s better to attempt to see the world as it is than delude yourself with bullshit.
This isn't security research, it's unauthorized hacking. Monster has no vulnerability disclosure program. It's completely illegal to try and gain unauthorized access without a VDP, even if you attempt to responsibly disclose your findings after the fact. And frankly, you didn't /responsibly/ disclose your findings, because you are publishing this while some of the vulnerabilities are still present. I reckon you have a 5% chance of ending up in jail because of this post.
Depending on jurisdiction, it can be argued that this is not unauthorized access, as the files and listings do not prevent access to anyone, effectively authorizing anyone who requests a file.
I can see faulting them for these lapses in security, but on the other hand I also don't have a guide in mind to point them to that they should make use of instead (obviously the guide they had was insufficient)
Disclosing security vulnerabilities if they don't respond is fine. Sharing internal training material and photos for the lols and internet points is just being a dick.
> "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."
Later in the post:
> The scariest part wasn't the training portal or the questionable customer profiling.
Questionable customer profiling is just basic research about their customers.
Seriously, I wish more companies were honest at least internally who their customers are. A lot of problems could be solved if places like Marvel realized who their core base is, accepted it, and made products for their audience.
Basic understanding of a customer base could've avoided the BudLight fiasco too. Then again, I'm sure if you're an elite upper-middle-class executive from an Ivy League school the idea that you need to cater to lower class working men must be a bit rankling.
I could imagine similar subcurrents for Marvel executives wanting to appear sophisticated or avant garde but instead having to cater to "comic book nerds" must be challenging.
The post has similar undertones of elitism as well. After all most of us tech people skew towards similar habits as does probably most well paid white collar professions.
Marvel's movie business was, for decades, run by the toy business in New York.[1] The movies were optimized for selling the merch. The Hollywood end finally broke free of the New York based "Creative Committee" once film revenue became large enough. The core base for merch is young boys, and that shaped the films.
Marvel knows pretty well who their audience is. The problem is Disney trying to tap into emerging markets, because the stereotypical audience is pretty much saturated. Like, there is zero need to market an Avengers movie to white male comic nerds.
It was never saturated. The peak was probably Thanos. Everything since then has been pandering to a more female driven potential audience that was never there.
It's not just female super heroes, which always existed and were popular to some degree (Buffy, Lara Croft, Zena, etc). It was a particular form of shallow female empowerment where the female characters were perfect, or if there was any growth to be had, it was realizing that they were perfect all along and the world just needed to change.
Take for instance She Hulk series, within minutes of gaining her powers, she was able to outperform Hulk. There was no personal growth. Whereas male superheroes typically had to overcome obstacles. Spiderman had to learn with great power comes great responsibility. Batman has to constantly battle with his grief and moral code. Ironman fought substance abuse and his philandering selfish nature. What was the story arch of Captain Marvel? It's just not good story telling
He used his "advanced hacking knowledge" to trick himself into participating in corporate training exercises and tear-inducing boredom. This actually made me laugh.
The picture is a little silly but listing out the demographics of your customer base is like so normal. The marketing for Monster would be quite different if their market was over 65 women.
Although it would be a funny bit to run a monster commercial in the style of something like L'Oreal.
When do companies ever try to understand their customers? They know what works for who, and continue to rehash that for that specific age of the generation.
The article even states this. "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."
When you've moved from that generational age, your no longer their audience and they don't care if you buy or not; but it's not like they cared in the first place.
it doesn't seem like a hard concept. they're non-binary. they don't identify as either side of the biological sex spectrum and are therefore okay with any pronouns. it's also common in trans-accepting communities to preemptively list your pronouns, even if you're cisgender, and even if you're happy with any pronouns
Reading this article feels like seeing somebody you don't particularly like get pantsed, but feeling bad for them because the person pantsing them is an even bigger idiot. Like Monster is not in tech. In any regard. I'm sure that they contract for 100% of their development.
I do dev & IT for a <25 person company in ecommerce. If we had even half of the issues that were pointed out in this post, I'd be telling the owner that he should be looking to replace me. I get that they're not a software company, but these are super basic issues. These issues, coupled with no response to the reported issues, leads me to suspect that the c-suite deprioritized IT to the point that it's a skeleton staff and they can't hire or retain anyone that's even halfway competent. You don't end up with these kind of issues, as a company of their size, unless there are serious management problems. They are big enough that they should definitely have the budget to do basic stuff like auth properly, or at least not make so many 101-level errors.
That said, the author also comes across as a complete d-bag as well. I have about as much love for marketing people as the average software developer, but their description of their average consumer was pretty normal. The author got super-catty about what's a fairly basic description of their average consumer and a stock photo. They aren't saying the only people who drink monster are young white males, just that that is their largest market and the consumer group they are targeting. It does make sense for them to say internally "hey, FYI this is the group of consumers we intend to target with our marketing efforts", and I've definitely read very similar stuff in every marketing proposal I've read, just with different groups.
Yeah I did feel slightly less sorry for Monster after finding out they have a $63B market cap.
I wouldn't be surprised if their lack of any response is because they literally have noone to deal with this. They can't seem to fill (or hold) some pretty important IT roles:
https://recruiting2.ultipro.com/MON1009MECY/JobBoard/682eaab...
Which in turn is maybe because they are unwilling to offer sufficient compensation. You get what you pay for but this time the tables have turned and it's a big corp getting shafted.
This is not a mom and pop shop struggling to keep the lights on. This is a huge corporation whose CEO has a net worth 4 orders of magnitude greater than the median American of his age. He could pay the whole IT department out of his pocket and barely notice.
I don't feel bad for them.
I’m not sure a drink company throwing 200-500k at a few security hires is going to really do anything. Who is there to validate the quality of these guys?
You can pay someone to validate your hires too. Probably 200-500k is cheap compared to this embarrassment
How does any company manage to hire competents with this attitude?
This is what happens when you contract out your development. Huge companies are going to FAFO as they continue to do pursue this foolishness.
You remember "software is going to eat the world?"
_Everyone_ organisation is a tech organisation.
Totally still on Monster even if they contract 101% of their IT.
It's like watching the school bully pants the weird kid who's just really passionate about his interests. It's not tough or cool, really it's just pathetic and sad.
I first learned of bobdahacker from his post three weeks ago also headlined on HN: https://news.ycombinator.com/item?id=44723773
"I violated the CFAA, likely committing several misdemeanors or felonies in the process, wrote up a detailed account of what I did (complete with screenshots), and then posted the account on the internet."
For the author's sake, I really hope they don't live in the USA.
Or Europe. Or the UK. 10+ prison plus civil damages in all three jurisdictions should it be prosecuted for various "Unauthorized computer access" laws. Even just browsing protected endpoints is a criminal violation. Publishing any info is even a bigger crime.
FYI, if you are a hacker:
1. Stop immediately after discovery and don’t go further than the minimal step that proves the vulnerability exists.
2. Document, don’t exploit
3. Report responsibly
4. Do not publish until fixed. Do not publish documents/images without permission.
5. Intent doesn’t erase liability: even “just poking around” can be charged under CFAA (US) or CMA (UK).
Or that they took sufficient care to remain anonymous.
Products like this don't just appear in gas station coolers by themselves, they would have started by identifying a demographic first and then building a product specifically targeted to that audience. They decided to target younger-skewing men, and so they made an energy drink that's neon green and called it "Monster". If they had decided to target over-60 women they would have designed the product much differently.
This isn't just a reactive profile of who they think is buying the product, it's the blueprint for the product.
And regardless, I would tend to believe that a highly successful, very pervasive consumer product has at least some fucking clue who their customers are, unlike the random dude hacking their site who appears to think he’s an expert in everything because he understands some tech.
Not that HN would know anything about that.
Here is an archived copy of the more complete, original version:
https://web.archive.org/web/20250823172249/https://bobdahack...
That's actually pretty representative of the people I see drinking Monster drinks.
Since most people are lower income, and therefore a high-market share low unit price gas-station drink company like Monster will by definition have to have its largest customer base be from the largest ie: poorer demographic, the only slightly revelatory information is that the demographic is younger, male, and leans Hispanic.
This doesn't imply that people in higher income brackets don't drink it, even most of them (though probably untrue).
Also pertinent is that the data is specified for Monster Green, which is their full sugar product. Monster Zero is a pretty big product as well, and could have a slightly differing customer base.
Haha. White monsters are pretty popular with gen-z'ers in general. A lot of us don't like coffee but still want a hit of caffeine and it's basically pure caffeine with a very mild taste. Other sugar free energy drinks have a much stronger sourness (red bull) or more distinctive flavours. I do love the tropical and coconut red bulls though.
The green monsters are definitely more male gamer oriented, but the white, green, pink, rose monsters etc seem pretty popular with people in my generation who fall outside that male gamer demographic.
Personally I prefer red bull now but as I get older I mostly drink coffee.
>Monster Green, which is their full sugar product
Just want to add that all Monster (AFAIK) contains sucralose even if it also has HFCS or other sugar. It's a small amount because it's so potent, so I usually start at the end of the ingredients label when checking if drinks have it. NOS also puts it in their regular drinks. I don't know when they made this change, but I stopped drinking Monster because of it. I used to like the Mean Bean Java Monster quite a bit.
My energy drink of choice these days is Blueberry Red Bull, in case anyone else is looking for an option that tastes better.
Also some brands like Rockstar put it in half their flavors, so you gotta check every can. Even though Killer Citrus is safe (as of 5+ years ago when I last looked anyway), Killer Grape isn't, despite both being of a similar subtype.
I've never seen reliable data suggesting that sucralose is harmful. Could be wrong. If you wouldn't mind giving sources, that would be helpful. Or is it just a personal sensitivity? Don't mean to pry. I'm just curious about the issue.
It just tastes disgusting to me and ruins anything it's in. I have a long history of avoiding certain foods/ingredients (e.g. onions) so I was already somewhat used to reading ingredient labels before deciding if I should consume things and being a bit picky generally.
From another angle, I think it's quite shady and dishonest of them to mix artificial sweeteners into non-diet drinks and not make it clear. If someone sells sugar free drinks and not-sugar-free drinks, they shouldn't both have sucralose.
I have heard certain artificial sweeteners kill your gut bacteria, but honestly I don't care much about that. If I heard that about sugar, I wouldn't start avoiding sugar.
That makes total sense to me. I've avoided onions most of my life. More saliently, I agree that it's off-putting to hide the inclusion of artificial sweeteners. Thanks for your response--I appreciate it.
Given their definition of "Younger" appears to include GenX, even that just means "Boomers don't drink it".
It is highly irresponsible to disclose security vulnerabilities publicly, and in some jurisdictions it may even be illegal.
While I understand that the author attempted to contact Monster without receiving a response, publishing details of the vulnerabilities and how to exploit them only puts users at greater risk. This approach is reckless and harmful.
It is common practice to give the company sufficient time and communicate, and then release the details once the vulnerability is patched. But it’s also common in practice to disclose the vulnerability after a set period of time if the company does not engage in any form of communication and refuses to patch the vulnerability. In this case they didn’t engage in any form of communication and then partially patched the problems. Nothing out of the ordinary here.
What _isn't_ common practice is actually copying and posting company material on your blog. Just because a door is unlocked does not give you the right to take materials & post them.
This requires you to have any amount of respect for intellectual property, which many find to be immoral
I have seen this in practice for vulnerabilities that affect many users of some software. If some Hackermann finds that Microsoft Windows version X or Oracle Database server version Y has a security flaw then disclosure is virtuous so that people using those can take measures. That reasoning doesn't seem to apply here.
My understanding is this is the standard SOP for security vulnerabilities: 1. Report the security vulnerabilities to the “victim” 2. Work with the “victim” the schedule for mitigation and publication 3. Publicize the vulnerabilities (the security researcher wants his findings to be publicly recognized)
If the victim does not acknowledge this issue it is impossible to execute step 2. So then the security researcher goes to step 3.
If the hacker has the emails sent at step 1 he will be fine.
OP leaked internal business documents as part of their disclosure that had no business being in a disclosure. It looks like minor employee details have been leaked as well, which is very bad.
These companies treat fines as the cost of doing business and every time they lose people's personal information, they get slapped on the wrist and laugh it off while the execs get bonuses for having someone write a tearful apology to appear like victims.
I am happy every time somebody makes enough noise to make them notice and fix it because being polite and legal clearly is not working.
Nah, fuck that noise. If the company reacts to a responsible disclosure notice that's nice but no one is under any obligation to help out mega corps to secure their shit. And the users aren't put at risk by the people finding the vulnerability but by the company not fixing it.
Fuck Responsible disclosure, companies should have to bid on 0 days like everyone else.
One probably should not release information from company they hacked.
On other side, if it is some piece of software immediate disclosure in public is only reasonable and prudent action. It allows every user to take necessary mitigation actions like taking their services and servers offline.
There is a market for capabilities, i.e zerodays in widely used software. It has value, sometimes in the millions.
No one will buy some shitty XSS on a public website.
That argument misses the point. Yes, the company has the primary responsibility to fix their vulnerabilities, but that doesn’t justify recklessly publishing exploits. Once an exploit is public, it’s not just 'the company' that suffers, it’s every customer, employee, and partner who relies on that system.
Saying 'fuck responsible disclosure' is basically saying 'let’s hurt innocent users until the company caves.' That’s not activism, that's collateral damage.
If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
> Saying 'fuck responsible disclosure' is basically saying 'let’s hurt innocent users until the company caves.' That’s not activism, that's collateral damage.
Correct. And I have good reasons for that. Activism has failed, consequences are required. The inevitable march towards the end of privacy due to the apathy of the unthinking majority of careless idiots will only be stopped when everyone feels deeply troubled by entering even the slightest bit of personal information anywhere because they've felt the consequences themselves.
> If someone genuinely cares about accountability, there are legal and ethical ways to pressure companies. Dumping 0-days into the wild only helps criminals, not users.
I could point to probably thousands of cases where there wasn't any accountability or it was trivial to the company compared to the damage to customers. There's no accountability for large corporations, the only solution is making people care.
let's be clear here, though: the root problem isn't someone finding some sensitive papers left on a printer accidentally, it's the person who left them on the printer to begin with. that's the root failure, and damage that results from that root failure is the fault of the person who left them there.
the american system clearly agrees with this, too. you see it insider trading laws. you're allow to trade on insider information as long as it was, for example, overheard at a cafe when some careless blabbermouth was talking about the wrongs things in public.
This is a strange disclosure post.
They may not have had a security email but I’m sure there was some contact this could have been sent to before posting something like this.
Part of me wonders if OP even tried or was mostly just looking to dunk on a company.
They did contact them and there was no response. The only one answering were ClickUp folks.
This feels a bit over the line from disclosure to sharing corporate documents… feels a lil bit crimey
I contacted the owner of the house I found unlocked and there was no response, so I proceeded to let myself in anyway.
These writeups are Jr. level hacks (I looked through them all). Aside from making the company look bad, you don't really learn much from it because they are so easy.
I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.
> I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.
Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes. Hopefully in all the potential employers' whom you go crying trying to sabotage this guy's career also.
Everyone was an eager junior once. If you weren't, it's your problem, not this guy's.
> Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes.
Yeah, there was some serious, "you'll never work in this town again," energy. Glad I wasn't the only one who picked up on it.
Ignore their remarks, the person obviously has no sway at all in the industry and wants a little power.
I'd hire this security professional at my company.
Because you certainly are the right person to pass judgement and destroy someone's life based on reading a few blog posts.
Come on, what security doesn't need is this attitude.
alternatively:
the security guard of the local mall left the door unlocked when the mall was actually closed, and i saw the mall hours that it was closed, but i went in anyway out of curiosity since i was already there
IMO the author of the article should lawyer up.
They should not have done any of this in the first place, let alone disclose it publicly in this manner.
I too did similar things when I was younger, riding high on that feeling of power, and learned the hard way that even attempting to hack something can be considered computer fraud in EU.
I was lucky to not suffer any consequences in the long run.
You can brag all you want about being an "ethical hacker", the law is probablycnot on your side - especially if you publish incriminating evidence in the form of an immature post like this.
Ethical hacking requires prior authorization from the organization you’re hacking. This person is a total clown and is absolutely in violation of the law.
I found this actually to be very cute. It’s awesome that their employees have gamified badges and that the photo of their core customer looks so awesome.
I worked at places with "points" you can give to other coworkers, but no reward. I would love to have traded some of my points for monster merch. This can almost read like an advertisement for working at Monster
Completely irrelevant to the article, but next time you come across one of those internet crazies who think the Monster logo is satanic, you can troll them by pointing out that it is really just an Ugaritic L -- 𐎍 -- and that one of the original names for the Hebrew god was EL so really Monster is a godly drink, not satanic.
I thought it was the other way around, that the individual mark is interpreted as a 6 so it's 666?
Redundant! Every UPC barcode has a 6 on the beginning, middle, and end. If you've got the mark of the Beast you may as well get Beast Bux.
The existence of bug bounties seems to have misled some people into thinking that you can just break into any system, and it’s OK as long as you email them afterwards. That isn’t the case. This post is documentation of a crime and the author would be wise to take it down.
Their characterization of their customer base mostly rings true to me. My white teenage kids love the stuff.
Don't know about GenX though. A common definition of GenX is born between 1965 and 1980. Speaking for all GenX males of the world, the stuff tastes overly sweet to me and don't want to risk a higher A1C on carbonated sugar water. Bleh!
They have sugar free versions now.
I dont actually look like the people from the photos but yes I do imagine this is how I would look like on the rare occasion I decide to get Monster drink lol
Lots of comments about the questionable choices of this person regarding disclosing all this information. To add to the pile, they got a friend fired from McDonalds, and don't seem particularly bothered about it... https://bobdahacker.com/blog/mcdonalds-security-vulnerabilit...
Until companies spend some money on hiring competent security engineers, these attacks will always happen. No one is going to feel sorry for a large corporation that can spend money on marketing but none on security.
Good job, bodahacker. We look forward to your next installment.
Funny, but these are the kinds of things they will gladly tell you on any earnings conference call (and more!)
>"Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."
What does this sentence even mean?
Companies like Monster and Redbull are marketing companies that happen to sell energy drinks.
That is almost certainly not a meaningless demographic they pulled out of thin air. It might not be meaningful to you as a demographic. It might even be offensive to you as a demographic.
But, to the marketing company, that is a concrete “group of humans” that respond well to their product and advertising. It informs how they develop their ads, how they target them, which geographic markets they push hard in, what events they sponsor, etc.
When they define that demographic as the people they’re targeting, and allocate their capital towards targeting them, they see the highest returns they’ve been able to find so far.
The world is so much more beautiful when you don't know how that works.
I think there is a certain beauty in it. Making an effort to understand how the universe/world/society you were born into actually works, not how you’d like it to work, is kinda key to finding your ikigai I think.
I feel like the more I learn about the world the better I am at living in it but the less enjoyable it becomes.
I guess you'd be really happy with a lobotomy?
Which part don't you understand?
The part where Gen-X is younger, maybe?
It's perplexing, to put it generously, but it doesn't throw the semantics of the entire sentence into question.
For all we know the document is from two decades ago.
Two decades ago makes the GenZ reference confusing, as the very oldest of them by the most generous definition would be only 9 years old.
With a span across 50 years, that range from Gen X to Gen Z is just awkward to place as "young buyers of Monster" at any point in time.
(Gen-Z/Millennial/Gen-X)
This covers like sixty years?
Closer to 30 years I'd say. Probably a lot of working age men, especially construction.
Generation X is pinned starting in the mid-60s. The Millenials follow, with Gen Z capping the range off in the early 2010s. It's about 50-60 years.
Well, their target could be read as "15 to 45 yo", which starts at the youngest GenX and extends to the younger GenZ.
Which part? younger men with lower income who are likely to be Hispanic Caucasian (as opposed to non Caucasian Hispanic)
It means a marketer will know where to deploy capital.
It means some people still think there are meaningful racial categories, that people with light skin come from the Caucasus, that speaking Spanish is an "ethnicity" which is orthogonal to "race".
Also Gen X (aged between 44 and 60 at time of writing) are "young".
This is a customer avatar. It’s standard marketing theory. And likely know who their customers are.
Avatar or persona is a literal fake person. “This Steve Doe. He works in construction and is 29 years old. He is in a lower income bracket and drinks a monster every weekday with lunch”.
The example in the post is a super generic target market.”gen z, lower income”
You can tell this guy has never worked or interacted with corporate marketing or advertising in any way because their astonishment at identifying their main market segment is standard practice literally everywhere. Lmao.
Focus on the security issues sure, but maybe think a bit more critically about how businesses function.
Go look around at who you see drinking monster and you're probably going to see they're not at all wrong.
Yes, or pointing out anti-phishing training like it's anything special. The entire post is cringe imo.
Eh, I think part of it is just making a more clickbaity title.
Looks quite a lot like an esports team!
You will never guess what i did when i read the headline!
For whatever it’s worth, they do have a job opening posted on LinkedIn for a sysadmin whose duties would include resolving that file access issue. Not my cup of tea as far as employers go (I don’t like energy drinks) but it seemed apropos to mention under the circumstances :)
My guess of what the author of this blog post looks like is 15-19yrs old & male, probably aspie.
Also should probably be a little more careful with risking the CFAA, but they seem really young so I'm guessing that's the main explanation.
> 15-19yrs old
Also would explain their unfamiliarity with what looks to me like totally normal branded corporate training.
Would you like me to give an unsolicited read on what you look like and which developmental disorders you might have also?
No need for personal attacks.
I'd be interested in reading you explain what the attack you detected was.
Is it that interesting that I found the comment unnecessarily judgemental and makes a shallow unsubstantiated assumption about the author's demographic/personality?
Well if he'd make a deep assumption you'd be even more triggered.
Oh please - it’s an honest assessment not a personal attack and it’s likely accurate. That you think otherwise says more about you than it does about me.
I prefer honest truth to polite fiction.
It’s better to attempt to see the world as it is than delude yourself with bullshit.
Is this the same cope police use when they profile people? It's actually absurd. That's okay brother, you tell it like it is with your "honest truth"
> My guess of what the author of this blog post looks like is 15-19yrs old & male, probably aspie.
Generalizing. It's would be the same as me calling you out as being an 34 male Texas Neckbeard MAGA supporter for having the user name "pessimizer".
Is that derogatory?
As a figure of speech, which this was; not so. I was explaining the point of an personal attack.
As an actual insult, assuming and throwing it at someone is an attack. It could be derogatory if what said harshly generalizes a majority or group.
Btw, you completely missed the point of the parent question. . .
The term "aspie" has some very obvious and common negative connotations, much like "retard"
If GP had said the author was probably retarded, would you be so confused then?
Categorizing being young or having Asperger’s as a personal attack is on you.
The energy feels so high school
This isn't security research, it's unauthorized hacking. Monster has no vulnerability disclosure program. It's completely illegal to try and gain unauthorized access without a VDP, even if you attempt to responsibly disclose your findings after the fact. And frankly, you didn't /responsibly/ disclose your findings, because you are publishing this while some of the vulnerabilities are still present. I reckon you have a 5% chance of ending up in jail because of this post.
Depending on jurisdiction, it can be argued that this is not unauthorized access, as the files and listings do not prevent access to anyone, effectively authorizing anyone who requests a file.
is there a guide for corporate cybersecurity?
I can see faulting them for these lapses in security, but on the other hand I also don't have a guide in mind to point them to that they should make use of instead (obviously the guide they had was insufficient)
Bob needs to lawyer up because this was a CFAA violation and a half.
Well, this was cringe and irresponsible.
Disclosing security vulnerabilities if they don't respond is fine. Sharing internal training material and photos for the lols and internet points is just being a dick.
The author acts like they just hacked an authoritarian government account...
it's just an energy drink, bro. It's not that deep.
I would have loved a breakdown of what group each variant of Monster is being marketed to !
I wonder what form of beveraged stimulant the author was on?
Presumably redbull, given their avatar https://bobdahacker.com/static/images/bobdahackerReal.png
Oh wow that avatar is way worse than I expected but also doesn't surprise me at all.
I don't get why a normal corporate internal resource system its being framed as ridiculous. Does the writer not know about "personas"? Weird tone.
What a bizarre reaction to a completely standard marketing segment. Who does the author THINK is Monster Energy Drink's core customer?
This is from the post:
> "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."
Later in the post:
> The scariest part wasn't the training portal or the questionable customer profiling.
Questionable customer profiling is just basic research about their customers.
Seriously, I wish more companies were honest at least internally who their customers are. A lot of problems could be solved if places like Marvel realized who their core base is, accepted it, and made products for their audience.
Basic understanding of a customer base could've avoided the BudLight fiasco too. Then again, I'm sure if you're an elite upper-middle-class executive from an Ivy League school the idea that you need to cater to lower class working men must be a bit rankling.
I could imagine similar subcurrents for Marvel executives wanting to appear sophisticated or avant garde but instead having to cater to "comic book nerds" must be challenging.
The post has similar undertones of elitism as well. After all most of us tech people skew towards similar habits as does probably most well paid white collar professions.
Good marketers know who their core audiences are. Bad executives will ignore the research.
Watching Warner Brothers fail to learn this lesson for a decade before finally releasing a good Superman movie was frankly a little sureal.
Marvel's movie business was, for decades, run by the toy business in New York.[1] The movies were optimized for selling the merch. The Hollywood end finally broke free of the New York based "Creative Committee" once film revenue became large enough. The core base for merch is young boys, and that shaped the films.
[1] https://www.goodreads.com/book/show/77264987-mcu
So now they sell less merch and their movies and TV shows gross a lot less. So who does this benefit?
Thanks for calling gen-x young.
That made me laugh when I read it, too.
Marvel knows pretty well who their audience is. The problem is Disney trying to tap into emerging markets, because the stereotypical audience is pretty much saturated. Like, there is zero need to market an Avengers movie to white male comic nerds.
It was never saturated. The peak was probably Thanos. Everything since then has been pandering to a more female driven potential audience that was never there.
It's not just female super heroes, which always existed and were popular to some degree (Buffy, Lara Croft, Zena, etc). It was a particular form of shallow female empowerment where the female characters were perfect, or if there was any growth to be had, it was realizing that they were perfect all along and the world just needed to change.
Take for instance She Hulk series, within minutes of gaining her powers, she was able to outperform Hulk. There was no personal growth. Whereas male superheroes typically had to overcome obstacles. Spiderman had to learn with great power comes great responsibility. Batman has to constantly battle with his grief and moral code. Ironman fought substance abuse and his philandering selfish nature. What was the story arch of Captain Marvel? It's just not good story telling
He used his "advanced hacking knowledge" to trick himself into participating in corporate training exercises and tear-inducing boredom. This actually made me laugh.
I’d love if he tricked himself into bulk buying monster and promoting it to all his friends to prove how wrong their target demographic was.
The picture is a little silly but listing out the demographics of your customer base is like so normal. The marketing for Monster would be quite different if their market was over 65 women.
Although it would be a funny bit to run a monster commercial in the style of something like L'Oreal.
You don't have to imagine. For some reason beyond my ken, monster energy has achieved meme status in queer circles.
I was half-surprised one of the pictured people wasn't wearing pink headphones with attached cat ears.
So strange, does the author think companies never try to understand their customers?
When do companies ever try to understand their customers? They know what works for who, and continue to rehash that for that specific age of the generation.
The article even states this. "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."
When you've moved from that generational age, your no longer their audience and they don't care if you buy or not; but it's not like they cared in the first place.
[dead]
Their opentext API is actually largely marketing - infact so much it worked - Im going to make some Monster cakes https://opentextapi.monsterenergy.com/opentext/images/ecde50... - https://opentextapi.monsterenergy.com/opentext/images/a1e8b8... Yum! Thanks! Count this the first time in history has sold me something
Uh okay? A drink company thinks their customers look like normal people? So what?
[flagged]
Didn't Mike Wazowski and James P. "Sulley" Sullivan go to MU?
I've seen a documentary on that, they got kicked out ;-)
"ETHICAL hacker"
...yeah... I don't think those words mean what you think they mean...
Not me. Their "Core Brand Family Consumer". And I have no reason to believe it is inaccurate.
A lot of pearl clutching over extremely average marketing material.
[flagged]
We detached this subthread from https://news.ycombinator.com/item?id=44997698.
Their bio says
> am nonbinary leaning fem and use she/they/he pronouns.
So while they prefer feminine, they explicitly list masculine as okay to use.
oops. my bad. I take it back :)
So just fucking anything then... What the hell is the use of pronouns at that poitn
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
it doesn't seem like a hard concept. they're non-binary. they don't identify as either side of the biological sex spectrum and are therefore okay with any pronouns. it's also common in trans-accepting communities to preemptively list your pronouns, even if you're cisgender, and even if you're happy with any pronouns
Sex is neither a spectrum nor an identity.
what's the point of listing almost-but-not-all competing pronouns? How does that help someone respect their desired choice if "they're all good"?
The entire cybersecurity is like that
HACKER NEWS ADMINS: You might want to remove this thread for legal reasons :)