I have been tinkering with the API of a pretty popular web service and I discovered that the email address of every user is easily mined from the site. The issue I have is that they say that they do not disclose any personally identifying information but by combining different API calls you can trigger a disclosure of user email addresses. It looks intentional as well.<p>I am in the process of writing code that will allow anyone to harvest the email addresses but I do not want to make it public. Is the public disclosure of email addresses a problem or just something that I am worrying about for no reason? I feel like businesses should be more careful about how they treat customers and how they treat customer data.
While it might be the case that they have a vulnerability somewhere, in that [the email address of every user is easily mined from the site], there are few reasons to [write code that will allow anyone to harvest the email addresses].<p>Yes, [businesses should be more careful about how they treat customers and how they treat customer data], and I agree you should submit some sort of proof-of-concept to the web service, privately, to improve [how they treat customers and how they treat customer data].
You should probably email them first to check that they are aware of the issue or if indeed it is intentional.<p>If it is, and it is not mentioned in their T+Cs or anywhere on their site so that their customers are aware that their affiliation with the service can be discovered easily by third parties then I would consider it a problem.
In this case I think disclosing the company name so that its customers are informed is not an issue but I would not release the tool to get the data.