A security researcher stated he was forced to take down a blog article describing a clear bug in Talkspace’s website that gave him a year’s subscription at no cost, following the company refused his findings and sent the researcher a valid threat.
John Jackson stated he was able to register up to Talkspace, a treatment program, as if he had been an employee at one of the companies whose health insurance programs covers Talkspace’s services. A few of those sign-up links are found in Google search results, some of that aren’t advertised on the company’s website.
However, Jackson said he found little to no evidence that the sign-up page verifies that a user is eligible for the free yearlong subscription.
Jackson examined his theory. The account remains active A month after, he said.
Jackson’s case is merely the latest case of security researchers facing legal threats for their job. Months past, aerospace security researcher Chris Kubecka stated she was threatened by Boeing after locating a security issue on a plane. Two security researchers were prosecuted last year amid claims that they overstepped the limits of their penetration test at an Iowa courthouse. The case was dropped.
Talkspace does not offer a means for security researchers to submit insects. With assistance from TechCrunch, the researcher contacted Talkspace to warn of the possible bug, fearing that malicious hackers or users could be abusing the system and claiming treatment. However, the company refused the claims, telling Jackson that it has internal procedures in place to protect against abuses,” without giving specifics.
Within hours of Jackson publishing his findings on his website — that TechCrunch has observed — Talkspace sent Jackson a cease and desist letter, accusing the writer of defaming Talkspace “by broadcasting untruths” in his blog article.
“In no instance would Talkspace charge an enterprise spouse or a health program for services rendered to an individual not deemed eligible by that spouse,” stated the letter, signed and sent by Talkspace counsel John Reilly.
“This letter is formal notice to cease and desist, as well as immediately retract statements with clarification to damaging misstatements and your blatant, ” stated the correspondence. “Failure to do this will lead to additional and legal actions. ”
When reached, Talkspace would not state on the list what its anti-fraud mechanics are, or whether or how many fraudulent incidents it’s discovered, only that the sign-up program is “designed in cooperation with each spouse based upon their individual aims,” stated Gil Margolin, Talkspace’s chief technical officer.
We’ve published the cease and desist letter. The letter did not address the technical claims made by Jackson in his blog article.
( function()
var func = function()
var iframe = document.getElementById(‘wpcom-iframe-8c698d5b59e671e7fc1daac4e394a8b3’)
if ( iframe )
iframe.onload = function()
iframe.contentWindow.postMessage( ‘msg_type’:’poll_size’,’frame_id’:’wpcom-iframe-8c698d5b59e671e7fc1daac4e394a8b3′
,”https:\/\/tcprotectedembed.com” );
// Autosize iframe
var funcSizeResponse = function( e )
var origin = document.createElement(‘a’ );
origin.href = e.origin;
// Verify message source when (‘tcprotectedembed.com’! == origin.host )
return;
// Verify message is actually a format we anticipate if (‘object’ ! == typeof e.data
if (‘function’ === typeof window.addEventListener )
window.addEventListener(‘message’, funcSizeResponse, false );
else if (‘function’ === typeof window.attachEvent )
window.attachEvent(‘onmessage’, funcSizeResponse );
if (document.readyState ===’complete’) func.apply(); /* compat for infinite scroll */
else if ( document.addEventListener ) document.addEventListener(‘DOMContentLoaded’, func, false );
else if ( document.attachEvent ) document.attachEvent(‘onreadystatechange’, func );
)();
When reached, Talkspace spokesperson JoAnna Di Tullio deferred comment to Reilly, who replicated the claims from his correspondence, that the company is “well aware of the way we structure our employer relationships and secure qualification for our solutions,” and clarified Jackson’s website article as “pure defamation” and “completely untrue. ”
Security researchers are nowadays embraced by many businesses by bug programs, which exploited by malicious hackers and pay or reward researchers for discovering other insects that could otherwise go awry and security flaws.
Other businesses, like Dropbox, Mozilla and Tesla, go farther by offering “safe haven ” provisions by promising not to take legal actions against researchers who act in good faith.
Got a suggestion? It’s possible to send tips firmly on Signal and WhatsApp to +1 646-755–8849.
Article Source and Credit feedproxy.google.com http://feedproxy.google.com/~r/Techcrunch/~3/PuMkFvNW-fM/ Buy Tickets for every event – Sports, Concerts, Festivals and more buytickets.com
Leave a Reply
You must be logged in to post a comment.