|
Security problems with personals website
I've discovered a very huge security hole in a personals website with
well over a million subscribers. The site is extrememly popular, and as it's a paid-subscription service they are more than likely making a fair bit of money from it. You would think that in such a situation, they would have fairly bullet-proof security - I'm no hacker, but have found out that just by changing one client-side cookie, I can have free access to a large amount of information on any subscriber of the site. With a bit more digging - but still not using any scripting or established hacking methods - I've found it's possible to uncover even more information and spoof any user's account. The question is: what do I do with this information? I've thought of approaching the site in question and telling them - but is there any way I can spin this whereby I could expect payment for giving them this information - without resorting to methods that could be interpreted as extortion and blackmail obviously... I have thought of approaching them as a security consultant (I am a web developer and some of my job is server administration)... Grateful for any feedback/advice. |
Re: Security problems with personals website
From: "fellamelad" <stevpowell@googlemail.com>
| I've discovered a very huge security hole in a personals website with | well over a million subscribers. The site is extrememly popular, and | as it's a paid-subscription service they are more than likely making a | fair bit of money from it. | You would think that in such a situation, they would have fairly | bullet-proof security - I'm no hacker, but have found out that just by | changing one client-side cookie, I can have free access to a large | amount of information on any subscriber of the site. With a bit more | digging - but still not using any scripting or established hacking | methods - I've found it's possible to uncover even more information | and spoof any user's account. | The question is: what do I do with this information? I've thought of | approaching the site in question and telling them - but is there any | way I can spin this whereby I could expect payment for giving them | this information - without resorting to methods that could be | interpreted as extortion and blackmail obviously... I have thought of | approaching them as a security consultant (I am a web developer and | some of my job is server administration)... | Grateful for any feedback/advice. Contact the admin/webmaster and tell the truth about what you found. Do NOT ask for compenstation! -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
Re: Security problems with personals website
On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
> > The question is: what do I do with this information? I've thought of > approaching the site in question and telling them - but is there any way > I can spin this whereby I could expect payment for giving them this > information You already know what to do with the information - alert them immediately. As for the rest, you appear to want to hack sites to make a buck - that's unethical. If you were not requested to attempt to hack their site then you are being unethical in doing so. -- Leythos Igitur qui desiderat pacem, praeparet bellum. spam999free@rrohio.com (remove 999 for proper email address) |
Re: Security problems with personals website
fellamelad wrote:
> I've discovered a very huge security hole in a personals website with > well over a million subscribers. The site is extrememly popular, and > as it's a paid-subscription service they are more than likely making a > fair bit of money from it. > > You would think that in such a situation, they would have fairly > bullet-proof security - I'm no hacker, but have found out that just by > changing one client-side cookie, I can have free access to a large > amount of information on any subscriber of the site. With a bit more > digging - but still not using any scripting or established hacking > methods - I've found it's possible to uncover even more information > and spoof any user's account. > > The question is: what do I do with this information? I've thought of > approaching the site in question and telling them - but is there any > way I can spin this whereby I could expect payment for giving them > this information - without resorting to methods that could be > interpreted as extortion and blackmail obviously... I have thought of > approaching them as a security consultant (I am a web developer and > some of my job is server administration)... > > Grateful for any feedback/advice. The easiest way is to not care for the money, give them some time to fix it and then, whether they already fixed it or not, publish it. At best you publish just one vulnerability and keep the other for yourself, this usually turns out to be a good defense in case they ever dare to sue you. BTW, depending on the website, they might just accept that it is a vulnerability, but never fix it. See par example eBay. |
Re: Security problems with personals website
fellamelad <stevpowell@googlemail.com> wrote in
news:1177407522.082025.202280@r30g2000prh.googlegr oups.com: > I've discovered a very huge security hole in a personals website with > well over a million subscribers. The site is extrememly popular, and > as it's a paid-subscription service they are more than likely making a > fair bit of money from it. > > You would think that in such a situation, they would have fairly > bullet-proof security - I'm no hacker, but have found out that just by > changing one client-side cookie, I can have free access to a large > amount of information on any subscriber of the site. With a bit more > digging - but still not using any scripting or established hacking > methods - I've found it's possible to uncover even more information > and spoof any user's account. > > The question is: what do I do with this information? I've thought of > approaching the site in question and telling them - but is there any > way I can spin this whereby I could expect payment for giving them > this information - without resorting to methods that could be > interpreted as extortion and blackmail obviously... I have thought of > approaching them as a security consultant (I am a web developer and > some of my job is server administration)... > > Grateful for any feedback/advice. > Discretion is required. The following is only the skeleton - the actual conversation should be even more oblique. I recommend phone rather than letter since their recording the conversation would be illegal without your consent [in the US, not necessarily in other jurisdictions]. You inform them that in the course of using their services you have "stumbled upon" [i.e., no intimation of hacking] several major vulnerabilities on their site. You indicate that you feel these are serious and should be fixed and that - ahem! - you would be willing to work with them to correct the problems. If they wish to pursue this approach you would be pleased to discuss mutually satisfactory arrangements. In any case, you will, of course, disclose the nature of the problems to them but your heavy commitments to other projects may constrain the amount of time and level of detail you can provide. You further explain that you feel you also have a duty to protect other users of the service and will disclose the general nature of the vulnerabilities publicly, but, of course, only after the service provider has had a reasonable opportunity to correct the problems. [I'll leave it to you whether to mention a specific timeline or leave it open-ended.] Regards, PS You are not only freely providing information to them about major problems but also graciously offering to help them fix the problems in a cooperative manner. There's no coercion or extortion or threats. [You can hardly be expected to provide your services for nothing, however. They'd have to be fools not to get the message, but it must be suffiently low-key that they don't feel they have been squeezed. It's a fine line and you must be skillful to avoid crossing over into extortion. At best, however, I give your chances of getting a contract out of this - as opposed to, say, three months free use of the service - at about 20%. If you're clumsy you could be looking at civil or criminal proceedings. Is the game worth the candle?] |
Re: Security problems with personals website
Leythos <Void@nowhere.lan> writes:
>On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote: >> >> The question is: what do I do with this information? I've thought of >> approaching the site in question and telling them - but is there any way >> I can spin this whereby I could expect payment for giving them this >> information >You already know what to do with the information - alert them immediately. >As for the rest, you appear to want to hack sites to make a buck - that's >unethical. If you were not requested to attempt to hack their site then >you are being unethical in doing so. Nuts. He did not "hack their site" if what he said was true. He changed something on his OWN computer, which caused the far side to divulge info. Yours is the standard establishment position of whistle blowers-- they did not follow protocol. If his description is correct, then ethically he should report it, not only to the establishment but also to CERT. And if they have not fixed it in some short period of time, report it to the community. As for compensation, that is trickier. Ethically they should compensate him. It is through his efforts that a security flaw has been discovered. But legally it is pretty dicey. And attempts to "extort" money from them would cross the legal line. |
Re: Security problems with personals website
"nemo_outis" <abc@xyz.com> writes:
>fellamelad <stevpowell@googlemail.com> wrote in >news:1177407522.082025.202280@r30g2000prh.googleg roups.com: >Discretion is required. The following is only the skeleton - the actual >conversation should be even more oblique. I recommend phone rather than >letter since their recording the conversation would be illegal without >your consent [in the US, not necessarily in other jurisdictions]. Uh, no I do not think so. At least one of the participants in the conversation must give consent, but I do not think both need to. >You inform them that in the course of using their services you have >"stumbled upon" [i.e., no intimation of hacking] several major >vulnerabilities on their site. You indicate that you feel these are >serious and should be fixed and that - ahem! - you would be willing to >work with them to correct the problems. If they wish to pursue this >approach you would be pleased to discuss mutually satisfactory >arrangements. In any case, you will, of course, disclose the nature of >the problems to them but your heavy commitments to other projects may >constrain the amount of time and level of detail you can provide. >You further explain that you feel you also have a duty to protect other >users of the service and will disclose the general nature of the >vulnerabilities publicly, but, of course, only after the service provider >has had a reasonable opportunity to correct the problems. [I'll leave it >to you whether to mention a specific timeline or leave it open-ended.] >Regards, >PS You are not only freely providing information to them about major >problems but also graciously offering to help them fix the problems in a >cooperative manner. There's no coercion or extortion or threats. >[You can hardly be expected to provide your services for nothing, >however. They'd have to be fools not to get the message, but it must be >suffiently low-key that they don't feel they have been squeezed. It's a >fine line and you must be skillful to avoid crossing over into extortion. >At best, however, I give your chances of getting a contract out of this - >as opposed to, say, three months free use of the service - at about 20%. >If you're clumsy you could be looking at civil or criminal proceedings. >Is the game worth the candle?] In this case I would suggest talking to a lawyer about it. When you play on the edges of the law, it is best to know exactly where that edge is, rather than guess. |
Re: Security problems with personals website
Unruh <unruh-spam@physics.ubc.ca> wrote in
news:CkqXh.22516$j%5.15569@edtnps90: > "nemo_outis" <abc@xyz.com> writes: > >>fellamelad <stevpowell@googlemail.com> wrote in >>news:1177407522.082025.202280@r30g2000prh.google groups.com: > > >>Discretion is required. The following is only the skeleton - the >>actual conversation should be even more oblique. I recommend phone >>rather than letter since their recording the conversation would be >>illegal without your consent [in the US, not necessarily in other >>jurisdictions]. > > Uh, no I do not think so. At least one of the participants in the > conversation must give consent, but I do not think both need to. Under US federal law only one party must consent. Twelve states require consent from both parties (continued participation in the conversation after being informed is generally construed as consent). One handy (but not authoritative) synopsis (of many): United States Telephone Recording Laws http://www.callcorder.com/phone-reco...aw-america.htm >>You inform them that in the course of using their services you have >>"stumbled upon" [i.e., no intimation of hacking] several major >>vulnerabilities on their site. You indicate that you feel these are >>serious and should be fixed and that - ahem! - you would be willing to >>work with them to correct the problems. If they wish to pursue this >>approach you would be pleased to discuss mutually satisfactory >>arrangements. In any case, you will, of course, disclose the nature >>of the problems to them but your heavy commitments to other projects >>may constrain the amount of time and level of detail you can provide. > >>You further explain that you feel you also have a duty to protect >>other users of the service and will disclose the general nature of the >>vulnerabilities publicly, but, of course, only after the service >>provider has had a reasonable opportunity to correct the problems. >>[I'll leave it to you whether to mention a specific timeline or leave >>it open-ended.] > >>Regards, > >>PS You are not only freely providing information to them about major >>problems but also graciously offering to help them fix the problems in >>a cooperative manner. There's no coercion or extortion or threats. > >>[You can hardly be expected to provide your services for nothing, >>however. They'd have to be fools not to get the message, but it must >>be suffiently low-key that they don't feel they have been squeezed. >>It's a fine line and you must be skillful to avoid crossing over into >>extortion. At best, however, I give your chances of getting a >>contract out of this - as opposed to, say, three months free use of >>the service - at about 20%. If you're clumsy you could be looking at >>civil or criminal proceedings. Is the game worth the candle?] > > > In this case I would suggest talking to a lawyer about it. > When you play on the edges of the law, it is best to know exactly > where that edge is, rather than guess. There are lawyers and there are lawyers. Some will take the conservative path of caution, others will encourage their clients not only to skirt close to the line but to cross over it. Nor are such "adventurous" lawyers necessarily confined to seedy strip-malls: Alberto Gonzales told Bush he could torture, disregard FISA.... Regards, |
Re: Security problems with personals website
Unruh wrote:
> Leythos <Void@nowhere.lan> writes: > >> On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote: >>> The question is: what do I do with this information? I've thought of >>> approaching the site in question and telling them - but is there any way >>> I can spin this whereby I could expect payment for giving them this >>> information > >> You already know what to do with the information - alert them immediately. > >> As for the rest, you appear to want to hack sites to make a buck - that's >> unethical. If you were not requested to attempt to hack their site then >> you are being unethical in doing so. > > Nuts. He did not "hack their site" if what he said was true. if he tested what he claims is possible then he most certainly did 'hack' their site... the confidentiality of the information in any accounts he accessed has been compromised regardless of whether he made any server side changes... it is essentially equivalent to a pen-test without permission (and pen-testers most certainly can get in deep trouble if they don't first get permission)... if he's going to report it then he might want to consider doing so anonymously (which more or less precludes compensation)... -- "it's not the right time to be sober now the idiots have taken over spreading like a social cancer, is there an answer?" |
Re: Security problems with personals website
kurt wismer wrote:
> if he tested what he claims is possible then he most certainly did > 'hack' their site... the confidentiality of the information in any > accounts he accessed has been compromised regardless of whether he made > any server side changes... Fine. What would it be like if this happened accidentally? From a technical point of view, you couldn't differ at all. > it is essentially equivalent to a pen-test without permission (and > pen-testers most certainly can get in deep trouble if they don't first > get permission)... Beside that sending to the server whatever you want is definitely not a penetration fact, the triviality of the case totally rules it out. |
| All times are GMT. The time now is 08:58 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.