Comment by tavavex

> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)

This is why I tried to make the clarification that I was referring to the address part of the URLs only, not the parametrized part. In my mind, something like /users?key=00726fca8123a710d78bb7781a11927e is quite different from /logins-and-passwords.txt. Although, parameters can also be baked into the URL body, so there's some vagueness to this.

> I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.

I guess if I try to distill my thoughts down, what I really mean is that there should be a minimum standard of care for private data. At some point, if being able to read restricted data is so frictionless, the fault should lie with the entity that has no regard for its information, rather than the person who found out about it. If a hospital leaves a box full of sensitive patient data in the director's office, and getting to it requires even the minimal amount of trespassing, the fault is on whoever did so. But if they leave that box tucked away in the corner of a parking lot, can you really fault some curious passer-by that looked around the corner, saw it and picked it up? Of course, there's a lot of fuzziness between the two, but in my mind, stumbling into private data by finding an undocumented address doesn't clear the same bar as bruteforcing or using a security vulnerability to gain access to something that's normally inaccessible.