It's actually quite heart-breaking to see the extent gone to to reveal the bug, and then to disclose it in full, for zero reward.<p>Whether or not a bug bounty programme exists at a company, if a bug this severe comes through the door, it should warrant a reward.
The post is interesting, but I do not know why people assume they would get a bounty for a security report if the company does not have responsible disclosure / bounty program.
Cached copy because the site seems to be struggling: <a href="http://archive.is/2FN8G" rel="nofollow">http://archive.is/2FN8G</a>
Having done similar pentests on similar applications during my previous jobs, you can imagine the level of security many editors have on the pair (client app, server). And we are talking here about a banking application: banks have always been more concerned buy security than other software consumers.
Prediction: in the coming months we will hear about more issues of this kind. This time though it will be mafia inspired by the story, stealing money for real.