An honest security ethics nondisclosure question i need help with.

Question

3 years ago I did a security audit for a large ecommerce website. When the audit was preformed I found several severe security issues that allow for access to data that should not be accessible after a transaction is completed. On this site there are several major risks. First you can see orders coming through the system real time; all transactions are processed manually by this company. If you view a transaction you can see name, address and shipping destination. I see 2 abuse points here, 1 – you can simply edit the ship to address and have the shipment sent to yourself, and 2 – you can call the user right as the order was placed and do a “phone conformation” to gain access simply to the cc info with basic social engineering.

You can also with a little more work dump the cc info and order id numbers and then simply match up the order id and user info. This is all by using exposed functions on their site and modifying a couple values. Yes im being vague for a reason.

The marketing director at this company was warned about these risks 3 years ago and has done nothing to correct them. I don’t doubt if I can find this others can. This site does 88K transactions per year and has all orders ever processed still in data and accessible.

so the ethical question… what do I do? My company doesn’t care… so I can’t get help there. If I contact the marketing guy he will just continue to cover his ass and the asses of there incompetent internal development team (cold fusion). Do I contact someone higher up? Do I go around my company? Do I just mine the data and sell it to a competitor minus the cc info? What do I do knowing this? Its nagging at me and I cant let it go. This is only one of many sites I know of, but the ease of access and high traffic makes me ponder a lot on this.

Thanks in advance Cranial-capacity=Null

Answer 1

There are two schools of thought: responsible disclosure, and full disclosure. But, if you did it on your companies time (the assessment) then I think you are strictly bound to not disclose publically.

Answer 2

The practical apporach, you have found the security holes and warned them. If they don't want to fix them, that's their business.

Maybe the marketing director is not the right person to deal with this information. You can try to use your diplomatic skills and contact upper management. But don't blame anybody. Because this will backfire.

I wouldn't sell anything to a competitor because that would certainly give you lots of trouble.

Answer 3

From the regular customer point of view, I think the degree of customer care in this company should go public. They really don't care about any holes that might disclose customers private data. So, they must really be punished. But revealing the holes will damage not only them, but their customers.

If you were paid for security audit, you have an ethical right neither to publish information about something you found nor use it in any way. Who will trust security expert revealing what he has found even years after? I think there is nothing you can do.

Answer 4

I'd chalk up the first such incident as your learning experience. You and the client (and your management) hadn't clarified the bounds of your responsibility.

I think your real question is "How do I prevent this from happening again?"

Answer 5

I've faced a similar scenario in the past. Although I stumbled across the hole rather than being paid to perform a pen test or security audit.

I was seriously tempted to post details to our state newspapers and then the full-disclosure mailing list (along with the government contacts) when no action was taken after 2 years, but decided that the data was just too risky to expose to (potentially) malicious people.

Hard choice though.

Answer 6

If it's a private organisation and you believe you've fulfilled the terms of your contract with them, I'd say you've done all you can.

If however it's an organisation that receives public funding in any way, I'd suggest giving them one more chance and then going to the (tech) press.

Answer 7

Find the right person inside the company.

If there isn't a right person get an audience with the highest-up you can and explain the problem in a few simple non-technical sentences.

"Every single customer who has ever used this services information can be stolen today, right now, by a semi-knowledgeable person. I put the chance of this happening at %50 in the next year. If/when this happens it will cost 5mil in lawsuits, 1mil in overtime, n million in reputation, n million in future lost customers/orders".

That has worked for me in the past and if you do that you will have tried your best to do the right thing.