Ive found that Im often testing others applications for exploits and security holes, maybe just for curiosity In the UK, we have the "Computer Misuse Act". Now if these applications you're proverbially "looking at" are say Internet based and the ISP's concerned can be bothered to investigate (for purely political motivations) then you're opening yourself up getting fingered. Even doing the slightest "testing" unlesss you are the BBC is sufficient to get you convicted here Even Penetration Test houses require Sign Off from companies who wish to undertake formal work to provide security assurance on their systems To set expectations on the difficulty in reporting vulnerabilties, I have had this with actual employers where some pretty serious stuff has been raised and people have sat on it for months from the likes of brand damage to even completely shutting down operations to support an annual £100m E-Com environment.
Ive found that Im often testing others applications for exploits and security holes, maybe just for curiosity". In the UK, we have the "Computer Misuse Act". Now if these applications you're proverbially "looking at" are say Internet based and the ISP's concerned can be bothered to investigate (for purely political motivations) then you're opening yourself up getting fingered.
Even doing the slightest "testing" unlesss you are the BBC is sufficient to get you convicted here. Even Penetration Test houses require Sign Off from companies who wish to undertake formal work to provide security assurance on their systems. To set expectations on the difficulty in reporting vulnerabilties, I have had this with actual employers where some pretty serious stuff has been raised and people have sat on it for months from the likes of brand damage to even completely shutting down operations to support an annual £100m E-Com environment.
3 Yepp I agree. The best idea is to steer away from this, and test locally. Thank you for a good response.
Basically I should just mind my own business, and leave the curiosity for other things. – Karrax Mar 23 '09 at 13:40.
I once reported a serious authentication vulnerability in a online audiobook store that allowed you to switch the account once you were logged in. I was wary too if I should report this. Because in Germany hacking is forbidden by law too.So I reported the vulnerability anonymously.
The answer was that although they couldn’t check this vulnerability by themselves as the software was maintained by the parent company they were glad for my report. Later I got a reply in that they confirmed the dangerousness of the vulnerability and that it was fixed now. And they wanted to thank me again for this security report and offered me an iPod and audiobook credits as a gift.
So I’m convinced that reporting a vulnerability is the right way.
2 Ok.. Thats very nice. I honestly think there should be alot more free and safe to test pages and applications for security flaws. Yes it is illegal to check if the door is open, but its better for a good guy to find it open, than a bad guy.
– Karrax Mar 20 '09 at 18:02 3 It's nice to get a good reaction, but not every company acts like this. Some just try to shoot the messenger to make the problem go away. – Jacco Mar 22 '09 at 12:55 2 Absolutely.
That’s why I contacted them anonymously in the first place. But the communication went friendly so I had no reason to stay anonymous. Later they even invited me to their company anniversary to meet me in person.
– Gumbo? Mar 22 '09 at 13:24 2 It could all have been a ruse to lure you in and put you in jail for meddling in their business. You're far too trusting.(Or maybe I've seen too many action series.) – Vinko Vrsalovic Oct 29 '10 at 20:59 1 Did you take the iPod?
– NikiC Nov 1 '10 at 20:48.
Informing the administrator is the best thing to do, but some companies just won't take unsolicited advice. They don't trust or don't believe the source. Some people would advise you to exploit the security flaw in a damaging way to draw their attention to the danger, but I would recommend against this, and it's possible that you could have serious consequences because of this.
Basically if you've informed them it's no longer your problem (not that it ever was in the first place). Another way to ensure you get their attention is to provide specific steps as to how it can be exploited. That way it will be easier for whomever recieves the email to verify it, and pass it on to the right people.
But at the end of the line, you owe them nothing, so anything you choose to do is sticking your neck out. Also, you could even create a new email address for yourself to use to alert the websites, because as you mentioned, some places it would be illegal to even verify the exploit, and some companies would choose to go after you instead of the security flaw.
1 Thanks, and yes, Ive already got another email I use for this business. – Karrax Mar 20 '09 at 17:53.
I usually contact the site administrator, although the response is almost ALWAYS "omg you broke my javascript page validation I'll sue you. " People just don't like to hear that their stuff is broken.
If it doesn't affect many users, then I think notifying the site administrators is the most you can be expected to do. If the exploit has widespread ramifications (like a Windows security exploit) then you should notify someone in a position to fix the problem, then give them time to fix it before you publish the exploit (if publishing it is your intention). A lot of people cry about exploit publication, but sometimes that's the only way to get a response.
Keep in mind that if you found an exploit, there's a high likelihood that someone with less altruistic intentions has found it and has started exploiting it already. Edit: Consult a lawyer before you publish anything that could damage a company's reputation.
I experienced the same like you. I once found an exploit in an oscommerce shop where you could download ebooks without paying. I wrote two mails: 1) Developers of oscommerce, they answered "Known issue, just don't use this paypal module, we won't fix" 2) Shop administrator: no answer at all Actually I have no idea what's the best way to behave ... maybe even publicate the exploit to force the admins to react.
Contact the administrator, not a business-type person. Generally the admin will be thankful for the notice, and the chance to fix the problem before something happens and he gets blamed for it. A higher-up, or the channels a customer service person is going to go through, are the channels where lawyers get involved.
I was part of a group of people who reported an issue we stumbled across on the NAS system at University. The admins were very grateful we found the hole and reported it, and argued with their bosses on our behalf (the people in charge wanted to crucify us).
2 Epic.. I would be grateful if someone told me that my car could be lock picked in 10 seconds, rather than him leaving me alone, and my car being stolen the day after – Karrax Mar 20 '09 at 18:32 1 We found it accidentally, even (didn't realize what we had found until we dug around a little; when we realized we pretty much could read... well... everything on the NAS, we decided to report it). It's like we found the car in the parking lot with the door wide open and the keys in the ignition. – Adam Jaskiewicz Mar 20 '09 at 18:41.
We informed the main developer about a sql injection vulnerability on their login page. Seriously, it's the classic '-- variety. You can't bypass the login, but you can easily execute arbitrary sql.
Still hasn't been fixed in 2 months! Not sure what to do now...no one else at my office really cares, which amazes me since we pay so much for every little upgrade and new feature. It also scares me when I think about the code quality and how much stock we are putting in this software.
1 It's time for johnny drop tables to login once an hour, on the hour. – Stefan Kendall Nov 11 '09 at 20:39 1 That would just make more work for our back-up/restore guys...lol. I can easily use google to find the same software with the same vulnerability open to the public.At least ours is on our intranet.
– dotjoe Nov 11 '09 at 21:36.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.