Security researcher reveals grotesque vulnerabilities in "Yelp-for-MAGA" app and its snowflake owner calls in the FBI

63Red Safe is an app affiliated with 63red, a far-right news site, that is a sort of Green Book for racists, identifying restaurants and other establishments that will serve people sporting MAGA hats and other modern Klan-hood-alikes without calling them out on their overt racist symbology.

63Red Safe's developers made a string of amateurish, catastrophic errors in designing the app, leaving plaintext passwords and logins in plain sight and failing to authenticate the API, which allowed attackers to spoof any user, as well as retrieving sensitive user information about every user on the service.

The defects were revealed in French security researcher Elliot Alderson's Twitter thread.

In response, 63Red's owner, Scott Wallace, downplayed the seriousness of the defects in his product and announced in classic internet tough guy style that he had notified the FBI.

63Red Safe is an app for far-right snowflakes who can't bear to be challenged on their political beliefs. It catalogs business establishments where pistols can be openly carried, where customers are not mocked or questioned for wearing far-right and neofascist garb, and whose owners do not talk about politics in ads and social media.

Wallace's response was not magnanimous: "No lost passwords, no breach of database, no data changed, minor problem fixed. We're angry by the attempt, FBI notified," Wallace posted to Twitter, along with a link to a Medium post in which he stated:

We see this person's illegal and failed attempts to access our database servers as a politically motivated attack, and will be reporting it to the FBI later today. We hope that, just as in the case of many other politically motivated Internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.

Alderson said he never attempted to change any data. "I did not hack your app, I read the available source code, and I used your unauthenticated APIs. It's equivalent to use [sic] your app," he responded to Wallace. "By threatening me, a security researcher, you are threatening the whole infosec community. I'm a professional and I'm not hiding. I'm staying at your disposal if needed. Btw, how did you fix the issue without updating your app?"

“Yelp, but for MAGA” turns red over security disclosure, threatens researcher [Sean Gallagher/Ars Technica]