Security problems with personals website

Discussion in 'Computer Security' started by fellamelad, Apr 24, 2007.

  1. fellamelad

    fellamelad Guest

    I've discovered a very huge security hole in a personals website with
    well over a million subscribers. The site is extrememly popular, and
    as it's a paid-subscription service they are more than likely making a
    fair bit of money from it.

    You would think that in such a situation, they would have fairly
    bullet-proof security - I'm no hacker, but have found out that just by
    changing one client-side cookie, I can have free access to a large
    amount of information on any subscriber of the site. With a bit more
    digging - but still not using any scripting or established hacking
    methods - I've found it's possible to uncover even more information
    and spoof any user's account.

    The question is: what do I do with this information? I've thought of
    approaching the site in question and telling them - but is there any
    way I can spin this whereby I could expect payment for giving them
    this information - without resorting to methods that could be
    interpreted as extortion and blackmail obviously... I have thought of
    approaching them as a security consultant (I am a web developer and
    some of my job is server administration)...

    Grateful for any feedback/advice.
    fellamelad, Apr 24, 2007
    #1
    1. Advertising

  2. From: "fellamelad" <>

    | I've discovered a very huge security hole in a personals website with
    | well over a million subscribers. The site is extrememly popular, and
    | as it's a paid-subscription service they are more than likely making a
    | fair bit of money from it.

    | You would think that in such a situation, they would have fairly
    | bullet-proof security - I'm no hacker, but have found out that just by
    | changing one client-side cookie, I can have free access to a large
    | amount of information on any subscriber of the site. With a bit more
    | digging - but still not using any scripting or established hacking
    | methods - I've found it's possible to uncover even more information
    | and spoof any user's account.

    | The question is: what do I do with this information? I've thought of
    | approaching the site in question and telling them - but is there any
    | way I can spin this whereby I could expect payment for giving them
    | this information - without resorting to methods that could be
    | interpreted as extortion and blackmail obviously... I have thought of
    | approaching them as a security consultant (I am a web developer and
    | some of my job is server administration)...

    | Grateful for any feedback/advice.


    Contact the admin/webmaster and tell the truth about what you found.
    Do NOT ask for compenstation!

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Apr 24, 2007
    #2
    1. Advertising

  3. fellamelad

    Leythos Guest

    On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
    >
    > The question is: what do I do with this information? I've thought of
    > approaching the site in question and telling them - but is there any way
    > I can spin this whereby I could expect payment for giving them this
    > information


    You already know what to do with the information - alert them immediately.

    As for the rest, you appear to want to hack sites to make a buck - that's
    unethical. If you were not requested to attempt to hack their site then
    you are being unethical in doing so.

    --
    Leythos
    Igitur qui desiderat pacem, praeparet bellum.
    (remove 999 for proper email address)
    Leythos, Apr 24, 2007
    #3
  4. fellamelad

    Sebastian G. Guest

    fellamelad wrote:

    > I've discovered a very huge security hole in a personals website with
    > well over a million subscribers. The site is extrememly popular, and
    > as it's a paid-subscription service they are more than likely making a
    > fair bit of money from it.
    >
    > You would think that in such a situation, they would have fairly
    > bullet-proof security - I'm no hacker, but have found out that just by
    > changing one client-side cookie, I can have free access to a large
    > amount of information on any subscriber of the site. With a bit more
    > digging - but still not using any scripting or established hacking
    > methods - I've found it's possible to uncover even more information
    > and spoof any user's account.
    >
    > The question is: what do I do with this information? I've thought of
    > approaching the site in question and telling them - but is there any
    > way I can spin this whereby I could expect payment for giving them
    > this information - without resorting to methods that could be
    > interpreted as extortion and blackmail obviously... I have thought of
    > approaching them as a security consultant (I am a web developer and
    > some of my job is server administration)...
    >
    > Grateful for any feedback/advice.



    The easiest way is to not care for the money, give them some time to fix it
    and then, whether they already fixed it or not, publish it. At best you
    publish just one vulnerability and keep the other for yourself, this usually
    turns out to be a good defense in case they ever dare to sue you.

    BTW, depending on the website, they might just accept that it is a
    vulnerability, but never fix it. See par example eBay.
    Sebastian G., Apr 24, 2007
    #4
  5. fellamelad

    nemo_outis Guest

    fellamelad <> wrote in
    news::

    > I've discovered a very huge security hole in a personals website with
    > well over a million subscribers. The site is extrememly popular, and
    > as it's a paid-subscription service they are more than likely making a
    > fair bit of money from it.
    >
    > You would think that in such a situation, they would have fairly
    > bullet-proof security - I'm no hacker, but have found out that just by
    > changing one client-side cookie, I can have free access to a large
    > amount of information on any subscriber of the site. With a bit more
    > digging - but still not using any scripting or established hacking
    > methods - I've found it's possible to uncover even more information
    > and spoof any user's account.
    >
    > The question is: what do I do with this information? I've thought of
    > approaching the site in question and telling them - but is there any
    > way I can spin this whereby I could expect payment for giving them
    > this information - without resorting to methods that could be
    > interpreted as extortion and blackmail obviously... I have thought of
    > approaching them as a security consultant (I am a web developer and
    > some of my job is server administration)...
    >
    > Grateful for any feedback/advice.
    >


    Discretion is required. The following is only the skeleton - the actual
    conversation should be even more oblique. I recommend phone rather than
    letter since their recording the conversation would be illegal without
    your consent [in the US, not necessarily in other jurisdictions].

    You inform them that in the course of using their services you have
    "stumbled upon" [i.e., no intimation of hacking] several major
    vulnerabilities on their site. You indicate that you feel these are
    serious and should be fixed and that - ahem! - you would be willing to
    work with them to correct the problems. If they wish to pursue this
    approach you would be pleased to discuss mutually satisfactory
    arrangements. In any case, you will, of course, disclose the nature of
    the problems to them but your heavy commitments to other projects may
    constrain the amount of time and level of detail you can provide.

    You further explain that you feel you also have a duty to protect other
    users of the service and will disclose the general nature of the
    vulnerabilities publicly, but, of course, only after the service provider
    has had a reasonable opportunity to correct the problems. [I'll leave it
    to you whether to mention a specific timeline or leave it open-ended.]

    Regards,

    PS You are not only freely providing information to them about major
    problems but also graciously offering to help them fix the problems in a
    cooperative manner. There's no coercion or extortion or threats.

    [You can hardly be expected to provide your services for nothing,
    however. They'd have to be fools not to get the message, but it must be
    suffiently low-key that they don't feel they have been squeezed. It's a
    fine line and you must be skillful to avoid crossing over into extortion.
    At best, however, I give your chances of getting a contract out of this -
    as opposed to, say, three months free use of the service - at about 20%.
    If you're clumsy you could be looking at civil or criminal proceedings.
    Is the game worth the candle?]
    nemo_outis, Apr 24, 2007
    #5
  6. fellamelad

    Unruh Guest

    Leythos <> writes:

    >On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
    >>
    >> The question is: what do I do with this information? I've thought of
    >> approaching the site in question and telling them - but is there any way
    >> I can spin this whereby I could expect payment for giving them this
    >> information


    >You already know what to do with the information - alert them immediately.


    >As for the rest, you appear to want to hack sites to make a buck - that's
    >unethical. If you were not requested to attempt to hack their site then
    >you are being unethical in doing so.


    Nuts. He did not "hack their site" if what he said was true. He changed
    something on his OWN computer, which caused the far side to divulge info.
    Yours is the standard establishment position of whistle blowers-- they did
    not follow protocol. If his description is correct, then ethically he
    should report it, not only to the establishment but also to CERT. And if
    they have not fixed it in some short period of time, report it to the
    community.
    As for compensation, that is trickier. Ethically they should compensate
    him. It is through his efforts that a security flaw has been discovered.
    But legally it is pretty dicey. And attempts to "extort" money from them
    would cross the legal line.
    Unruh, Apr 24, 2007
    #6
  7. fellamelad

    Unruh Guest

    "nemo_outis" <> writes:

    >fellamelad <> wrote in
    >news::



    >Discretion is required. The following is only the skeleton - the actual
    >conversation should be even more oblique. I recommend phone rather than
    >letter since their recording the conversation would be illegal without
    >your consent [in the US, not necessarily in other jurisdictions].


    Uh, no I do not think so. At least one of the participants in the
    conversation must give consent, but I do not think both need to.


    >You inform them that in the course of using their services you have
    >"stumbled upon" [i.e., no intimation of hacking] several major
    >vulnerabilities on their site. You indicate that you feel these are
    >serious and should be fixed and that - ahem! - you would be willing to
    >work with them to correct the problems. If they wish to pursue this
    >approach you would be pleased to discuss mutually satisfactory
    >arrangements. In any case, you will, of course, disclose the nature of
    >the problems to them but your heavy commitments to other projects may
    >constrain the amount of time and level of detail you can provide.


    >You further explain that you feel you also have a duty to protect other
    >users of the service and will disclose the general nature of the
    >vulnerabilities publicly, but, of course, only after the service provider
    >has had a reasonable opportunity to correct the problems. [I'll leave it
    >to you whether to mention a specific timeline or leave it open-ended.]


    >Regards,


    >PS You are not only freely providing information to them about major
    >problems but also graciously offering to help them fix the problems in a
    >cooperative manner. There's no coercion or extortion or threats.


    >[You can hardly be expected to provide your services for nothing,
    >however. They'd have to be fools not to get the message, but it must be
    >suffiently low-key that they don't feel they have been squeezed. It's a
    >fine line and you must be skillful to avoid crossing over into extortion.
    >At best, however, I give your chances of getting a contract out of this -
    >as opposed to, say, three months free use of the service - at about 20%.
    >If you're clumsy you could be looking at civil or criminal proceedings.
    >Is the game worth the candle?]



    In this case I would suggest talking to a lawyer about it.
    When you play on the edges of the law, it is best to know exactly where
    that edge is, rather than guess.
    Unruh, Apr 24, 2007
    #7
  8. fellamelad

    nemo_outis Guest

    Unruh <> wrote in
    news:CkqXh.22516$j%5.15569@edtnps90:

    > "nemo_outis" <> writes:
    >
    >>fellamelad <> wrote in
    >>news::

    >
    >
    >>Discretion is required. The following is only the skeleton - the
    >>actual conversation should be even more oblique. I recommend phone
    >>rather than letter since their recording the conversation would be
    >>illegal without your consent [in the US, not necessarily in other
    >>jurisdictions].

    >
    > Uh, no I do not think so. At least one of the participants in the
    > conversation must give consent, but I do not think both need to.


    Under US federal law only one party must consent. Twelve states require
    consent from both parties (continued participation in the conversation
    after being informed is generally construed as consent). One handy (but
    not authoritative) synopsis (of many):

    United States Telephone Recording Laws
    http://www.callcorder.com/phone-recording-law-america.htm



    >>You inform them that in the course of using their services you have
    >>"stumbled upon" [i.e., no intimation of hacking] several major
    >>vulnerabilities on their site. You indicate that you feel these are
    >>serious and should be fixed and that - ahem! - you would be willing to
    >>work with them to correct the problems. If they wish to pursue this
    >>approach you would be pleased to discuss mutually satisfactory
    >>arrangements. In any case, you will, of course, disclose the nature
    >>of the problems to them but your heavy commitments to other projects
    >>may constrain the amount of time and level of detail you can provide.

    >
    >>You further explain that you feel you also have a duty to protect
    >>other users of the service and will disclose the general nature of the
    >>vulnerabilities publicly, but, of course, only after the service
    >>provider has had a reasonable opportunity to correct the problems.
    >>[I'll leave it to you whether to mention a specific timeline or leave
    >>it open-ended.]

    >
    >>Regards,

    >
    >>PS You are not only freely providing information to them about major
    >>problems but also graciously offering to help them fix the problems in
    >>a cooperative manner. There's no coercion or extortion or threats.

    >
    >>[You can hardly be expected to provide your services for nothing,
    >>however. They'd have to be fools not to get the message, but it must
    >>be suffiently low-key that they don't feel they have been squeezed.
    >>It's a fine line and you must be skillful to avoid crossing over into
    >>extortion. At best, however, I give your chances of getting a
    >>contract out of this - as opposed to, say, three months free use of
    >>the service - at about 20%. If you're clumsy you could be looking at
    >>civil or criminal proceedings. Is the game worth the candle?]

    >
    >
    > In this case I would suggest talking to a lawyer about it.
    > When you play on the edges of the law, it is best to know exactly
    > where that edge is, rather than guess.



    There are lawyers and there are lawyers. Some will take the conservative
    path of caution, others will encourage their clients not only to skirt
    close to the line but to cross over it. Nor are such "adventurous"
    lawyers necessarily confined to seedy strip-malls: Alberto Gonzales told
    Bush he could torture, disregard FISA....

    Regards,
    nemo_outis, Apr 24, 2007
    #8
  9. fellamelad

    kurt wismer Guest

    Unruh wrote:
    > Leythos <> writes:
    >
    >> On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
    >>> The question is: what do I do with this information? I've thought of
    >>> approaching the site in question and telling them - but is there any way
    >>> I can spin this whereby I could expect payment for giving them this
    >>> information

    >
    >> You already know what to do with the information - alert them immediately.

    >
    >> As for the rest, you appear to want to hack sites to make a buck - that's
    >> unethical. If you were not requested to attempt to hack their site then
    >> you are being unethical in doing so.

    >
    > Nuts. He did not "hack their site" if what he said was true.


    if he tested what he claims is possible then he most certainly did
    'hack' their site... the confidentiality of the information in any
    accounts he accessed has been compromised regardless of whether he made
    any server side changes...

    it is essentially equivalent to a pen-test without permission (and
    pen-testers most certainly can get in deep trouble if they don't first
    get permission)... if he's going to report it then he might want to
    consider doing so anonymously (which more or less precludes compensation)...

    --
    "it's not the right time to be sober
    now the idiots have taken over
    spreading like a social cancer,
    is there an answer?"
    kurt wismer, Apr 25, 2007
    #9
  10. fellamelad

    Sebastian G. Guest

    kurt wismer wrote:

    > if he tested what he claims is possible then he most certainly did
    > 'hack' their site... the confidentiality of the information in any
    > accounts he accessed has been compromised regardless of whether he made
    > any server side changes...



    Fine. What would it be like if this happened accidentally? From a technical
    point of view, you couldn't differ at all.

    > it is essentially equivalent to a pen-test without permission (and


    > pen-testers most certainly can get in deep trouble if they don't first
    > get permission)...



    Beside that sending to the server whatever you want is definitely not a
    penetration fact, the triviality of the case totally rules it out.
    Sebastian G., Apr 25, 2007
    #10
  11. fellamelad

    Unruh Guest

    kurt wismer <> writes:

    >Unruh wrote:
    >> Leythos <> writes:
    >>
    >>> On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
    >>>> The question is: what do I do with this information? I've thought of
    >>>> approaching the site in question and telling them - but is there any way
    >>>> I can spin this whereby I could expect payment for giving them this
    >>>> information

    >>
    >>> You already know what to do with the information - alert them immediately.

    >>
    >>> As for the rest, you appear to want to hack sites to make a buck - that's
    >>> unethical. If you were not requested to attempt to hack their site then
    >>> you are being unethical in doing so.

    >>
    >> Nuts. He did not "hack their site" if what he said was true.


    >if he tested what he claims is possible then he most certainly did
    >'hack' their site... the confidentiality of the information in any
    >accounts he accessed has been compromised regardless of whether he made
    >any server side changes...


    Nuts. YOu are attempting to subvert the meaning of the term to make it
    meaningless. IF they set up their system so incompetently that a minor
    change in the cookie reveals all, then he did not hack their site. They
    revealed it. Next you will tell us that we hack your site if you are stupid
    enough to post your credit card on your web site and we use your url to
    look at your web site.

    The result of his actions say nothing about what his actions were. That his
    actions revealed confidential information is not the definition of hacking.



    >it is essentially equivalent to a pen-test without permission (and
    >pen-testers most certainly can get in deep trouble if they don't first
    >get permission)... if he's going to report it then he might want to
    >consider doing so anonymously (which more or less precludes compensation)...


    Whatever a pen test is.


    >--
    >"it's not the right time to be sober
    >now the idiots have taken over
    >spreading like a social cancer,
    >is there an answer?"
    Unruh, Apr 25, 2007
    #11
  12. fellamelad

    ArtDent Guest

    On 25-Apr-2007, Unruh <> wrote:

    > Whatever a pen test is.


    Oooh. Oooh. I know this one!
    Penetration test.
    Checking to see if you can penetrate a system.

    --
    I am not a complete idiot.
    Parts are missing.
    ArtDent, Apr 25, 2007
    #12
  13. fellamelad

    Rick Merrill Guest

    Unruh wrote:
    > kurt wismer <> writes:
    >
    >> Unruh wrote:
    >>> Leythos <> writes:
    >>>
    >>>> On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
    >>>>> The question is: what do I do with this information? I've thought of
    >>>>> approaching the site in question and telling them - but is there any way
    >>>>> I can spin this whereby I could expect payment for giving them this
    >>>>> information
    >>>> You already know what to do with the information - alert them immediately.
    >>>> As for the rest, you appear to want to hack sites to make a buck - that's
    >>>> unethical. If you were not requested to attempt to hack their site then
    >>>> you are being unethical in doing so.
    >>> Nuts. He did not "hack their site" if what he said was true.

    >
    >> if he tested what he claims is possible then he most certainly did
    >> 'hack' their site... the confidentiality of the information in any
    >> accounts he accessed has been compromised regardless of whether he made
    >> any server side changes...

    >
    > Nuts. YOu are attempting to subvert the meaning of the term to make it
    > meaningless. IF they set up their system so incompetently that a minor
    > change in the cookie reveals all, then he did not hack their site. They
    > revealed it. Next you will tell us that we hack your site if you are stupid
    > enough to post your credit card on your web site and we use your url to
    > look at your web site.
    >
    > The result of his actions say nothing about what his actions were. That his
    > actions revealed confidential information is not the definition of hacking.


    Nice debate, but horseshit nonetheless. The level of difficulty does not
    change the definition of hacking.
    Rick Merrill, Apr 25, 2007
    #13
  14. In article <>, fellamelad <> wrote:

    > I've discovered a very huge security hole in a personals website with
    > well over a million subscribers. The site is extrememly popular, and
    > as it's a paid-subscription service they are more than likely making a
    > fair bit of money from it.
    >
    > You would think that in such a situation, they would have fairly
    > bullet-proof security - I'm no hacker, but have found out that just by
    > changing one client-side cookie, I can have free access to a large
    > amount of information on any subscriber of the site. With a bit more
    > digging - but still not using any scripting or established hacking
    > methods - I've found it's possible to uncover even more information
    > and spoof any user's account.
    >
    > The question is: what do I do with this information? I've thought of
    > approaching the site in question and telling them - but is there any
    > way I can spin this whereby I could expect payment for giving them
    > this information - without resorting to methods that could be
    > interpreted as extortion and blackmail obviously... I have thought of
    > approaching them as a security consultant (I am a web developer and
    > some of my job is server administration)...
    >
    > Grateful for any feedback/advice.
    >


    I would forget about getting any money for this.

    If you report it and ask for money in any way you are likely to have to spend money defending yourself against charges of hacking or unauthorized access.

    If you want to be a good citizen then report it anonymously using remailers, otherwise forget about it.

    IANAL,

    Just my $0.02 worth.
    George Orwell, Apr 26, 2007
    #14
  15. fellamelad

    Sebastian G. Guest

    George Orwell wrote:

    > If you report it and ask for money in any way you are likely to have to
    > spend money defending yourself against charges of hacking



    "hacking" is no crime. He also didn't get involved in any crime related to
    hacking.

    > or unauthorized access.



    He was authorized, obviously, and that's the problem.
    Sebastian G., Apr 26, 2007
    #15
  16. In article <>, Sebastian G. <> wrote:

    > George Orwell wrote:
    >
    > > If you report it and ask for money in any way you are likely to have to
    > > spend money defending yourself against charges of hacking

    >
    >
    > "hacking" is no crime. He also didn't get involved in any crime related to
    > hacking.
    >
    > > or unauthorized access.

    >
    >
    > He was authorized, obviously, and that's the problem.


    Crime or not is meaningless.

    If the OP reports the problem to the personals website, somebody there is going to look real stupid. They will most likely react by shooting the messenger "We have been hacked! A crime has been committed!"

    Local clueless LEA will believe the owners of the personals website instead of the guy reporting the problem. The guy will at least be questioned if not worse & he will have to try to prove he didn't commit a crime.

    Or do you really think the site owner will say, "Look how this guy made us look stupid, let's give him some money"?
    George Orwell, Apr 27, 2007
    #16
  17. fellamelad

    Sebastian G. Guest

    George Orwell wrote:

    > If the OP reports the problem to the personals website, somebody there is
    > going to look real stupid. They will most likely react by shooting the
    > messenger "We have been hacked! A crime has been committed!"



    That why I suggested to only disclose one of the vulnerabilities.
    If they try to sue, just tell'em that you have something more and provide
    the other vulnerability - they'll shut up soon.
    (dunno if you're familar with the phrase "having a well-filled poison cabinet")

    > Local clueless LEA will believe the owners of the personals website
    > instead of the guy reporting the problem.



    That's what technical experts are for. In fact, you'd have good chances to
    shove the costs on the plaintiff.

    > Or do you really think the site owner will say, "Look how this guy made
    > us look stupid, let's give him some money"?


    At least in Europe it's actually quite a common practice to offer such
    people a short-term consultant contract which includes that they shall never
    disclose these information. Indeed this little investment is most often way
    less than the loss from actually being made looking stupid.
    Sebastian G., Apr 27, 2007
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Herb
    Replies:
    3
    Views:
    507
    Doug G
    Apr 18, 2005
  2. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    599
    COMSOLIT Messmer
    Sep 5, 2003
  3. Rhys Coombs

    XXs in website and security issues

    Rhys Coombs, Apr 17, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    412
    Rhys Coombs
    Apr 17, 2004
  4. Joel Rubin
    Replies:
    0
    Views:
    418
    Joel Rubin
    Mar 20, 2005
  5. Gustavo
    Replies:
    1
    Views:
    882
    Dave Doe
    Dec 21, 2011
Loading...

Share This Page