tags:

views:

1550

answers:

14
+37  Q: 

Found a critical bug, but the company doesn't care

I know several people who were in a situation like this.

Let's say, you were trying out random sites for basic XSS/SQL Injection vulnerabilities, and you've found one that could be easily compromised. You email the admin/webmaster, but they don't reply.

What would you do?

+4  A: 

Ignore it to avoid getting into legal trouble and avoid any products of that company on the ground of lack of care and professionalism would be one choice,

Posting it into TheDailyWTF Sidebar could also come to mind, but in todays world, that may cause legal backlash or at least annoyance.

Michael Stum  2008-08-04 23:37:44
+4  A: 

If it is a standalone website and not a product people can purchase/use then you've done all you can do. If it was a product or community website there are a few mailing lists you can submit a writeup to such as Bugtraq.

John Downey  2008-08-04 23:39:38
+5  A: 

Unless these companies were paying you to do it, I'd say you're already across the line. Why exactly would one be doing this?

Flubba  2008-08-04 23:57:53
Curiosity. Research into given vulnerabilities and their popularity in the wild. Concern for whether the data i hand the site will end up shared with the criminal world. That's just 3 reasons. And frankly, if i found it, someone else will too if they haven't already. The fact that the vulnerability is there at all should be more troubling than the fact that i found it *and reported it to you*, rather than taking advantage of it as most criminals would.
cHao  2010-08-02 22:11:14
+6  A: 

It depends, what is the nature of the site? If the sites customers are exposed to Identity Theft or similar horrific things, it is your duty to report the issue to outside authorities. The question is, how?

I would suggest contacting The Consumerist and demonstrating your exploit to them. They will bring enough media attention to the issue that the company will be forced to do something about it.

If on the other hand, it's a silly web forum for turtle lovers... well, if they don't care, move on to bigger and better things.

NotMyself  2008-08-05 00:04:15
+7  A: 

Sit on it.

I've been on the receiving end of such emails, and while we didn't reply to the original author, it did make us (the devs) and the management sit up be a bit more security aware, and the stuff did get fixed.

If not, what else can you do? Stay out of it... Someone will hack the site one day and maybe they'll start to care, but they won't be pointing the finger at you.

Orion Edwards  2008-08-05 00:44:42
+51  A: 

This one is easy:

  • DON'T GRATUITOUSLY TRY CRACKING OTHER PEOPLE'S SITES.

And if you're doing it now:

  • STOP IT, SHUT UP, and DON'T BRING ATTENTION TO YOURSELF.

You may find your helpfulness being repaid by facing criminal charges.

(sorry to shout, but even someone with the purest of motives can get caught up in lot of grief that might take months or years to unravel. I used to track down systems crackers at my old job, and once we determined an IP address/phone number/physical address we turned it over to the police to sort out.)

Mark Harrison  2008-08-05 01:10:57
If they find *basic* XSS or SQL injection problems on my internet banking website the last thing I want is for the discovery to remain secret. Anonymously making these problems known to the relevant authorities is the best option, NOT just ignoring it out of fear. Your shouting really makes you sound like someone who works for a company that owns a flawed website, rather than a customer or user that can be seriously affected by the security flaw.
Ash  2010-01-16 09:01:11
lol, you can glance at my profile to see where I work. Read my last sentence... I would track down people who were attempting to penetrate the system. What were their motives? I didn't know... we turned it over to the police to figure that out. Anybody who was probing our systems were I'm sure able to explain their good intentions to the detectives assigned to their case.
Mark Harrison  2010-01-16 11:25:03
The point is that XSS, SQL injection etc problems are often extremely simple to expose, and when found in security sensitive websites it is important that they be exposed. In the case of this question there is no "gratuitous hacking other peoples sites" going on. For example, I notice a query value in the website URL, try changing it and find I can access someone else information. I then email the website admin explaining the flaw. To say this act could land me with criminal charges is just laughable. Your shouting at people to just stop doing it, or else, is bluster.
Ash  2010-01-17 04:46:12
Since the example you give is hypothetical, I'm guessing you don't have any real experience with this. My advice is based on real experience tracking down systems crackers at my old job. I found 60 unique IP addresses who had gained access to the system, and correlated those to physical phone numbers using the ISP's RADIUS logs. That's the list we turned over to the police. I sincerely hope anybody who was just poking around for fun or with no bad intentions got into too much trouble over it. Thanks for the comments!
Mark Harrison  2010-01-17 07:52:44
@Ash I think it is important to remember that if you have to go to court over something, what constitutes 'ethical hacking' could confuse a jury of average people who are not programmers. If you did report a bug, I would hide your identity. Of course, I would agree that your example seems like a pretty minor thing to report, but it is still dangerous, especially if a lawyer can make you look like a hacker ninja in court ...
John Fischer  2010-09-08 20:16:28
@Luchaguate, If a legal system is so perverted that I could be convicted as a malicious hacker by simply changing a query-string parameter in the address bar of my web browser (and telling the company about it), it is a sick puppy indeed. It may be cultural, but this fear of lawyers is really very sad.
Ash  2010-09-09 02:52:16
@Mark, it certainly does sound like you've worked on plenty of systems that have been successfully hacked over the years. When it comes to hacked systems you obviously know what you're talking about. Just a suggestion though, perhaps you should give more consideration to what actually makes your systems vulnerable to "crackers", instead of worrying about threats and clever ways of tracking them down once they have been detected. This http://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site might be a good place to start.
Ash  2010-09-09 03:24:10
@Ash, if you look at my resume linked from my user page, you'll probably guess that my primary experience with system crackers was at my old job, when I was Chief Software Architect for the China Internet. With 300 million users and a physical infrastructure spanning 3.5 million sq km, I certainly did have lots of practice dealing with intruders, some successful, some not. I certainly couldn't identify the motives of those who were attempting to bypass security; I don't think you would have been able to either if you had been in my position. Be careful and good luck!
Mark Harrison  2010-09-10 01:01:43
@Ash Well I will consent that your specific example seems pretty safe.
John Fischer  2010-09-13 18:06:02
@Ash As to your comment about the legal system having to be pretty screwed up for that to happen, I would agree, I just think that the system IS pretty perverted. The media might make it look worse than it is, but I certainly hear about a lot of outrageous cases, some of them involve people I know in real life. In a world where Wal-mart can be sued because people fall when running from the security guards while stealing merchandise, it never hurts to be careful. Perverted? Yes.
John Fischer  2010-09-13 18:13:21
+21  A: 

I would not assume that a lack of a response meant that no action was being taken. If I was on the receiving end of that email, I would have two concerns. The obvious one is identifying and fixing the vulnerability in the code. The other concern is who is this guy and why is he trying to crack my site?

Would you walk down your street and try every door knob to verify that everyone had locked their door? Someone just trying random sites for security holes sounds suspicious just by the nature of his actions.

The last thing I would do would be to email him back. That would just encourage more cracking attempts. I don't know if I would turn over the email and IP address to the police. I think it would depend on the content of the email and what information I could find out about the sender. If the person who sent the email was a security specialist who had found out about a vulnerability by testing or by hearing about from someone else, I would reply back. The Sears security breach that Ben Edelman contacted Sears about is a good example of when acknowledgment should be sent.

Now if you had come across a vulnerability by normal usage of the site, then I think an acknowledgment of your email would be a common courtesy.

You also have to consider the severity of the vulnerability and how long it would take to fix it. If a consumer's privacy is being violated, it should be addressed immediately. If it's not a critical problem, the company will need to schedule time to investigate and address the issue.

If the problem was a serious breach of privacy and immediate action wasn't taken, I would go up the chain of command at that company. If it's a serious issue and you can communicate that effectively, someone at some level will take notice. If that fails, I would take it a consumer advocate group like the Consumerist or a well known security expert like Ben Edelman.

Chris Miller  2008-08-05 15:42:38
+16  A: 

Make sure you keep a record of your e-mail message(s). You might need it in court.

Stu  2008-08-05 16:10:21
+4  A: 

Not withstanding what's said above regarding your culpability in hi-lighting the exploit, but...

If the site is a commercial company, and if they have an online payment system (credit cards orders) then try emailing either the sales department or the "contact us" email address with your concerns. This should elicit at least some response (if clueless) from the organisation that you can build on.

If you still get no answer, then contacting the relevant consumer protection agency or their trade association. Ultimately, you can also contact a "white hat" security site (Secunica?) if you feel that the customer data is being put at risk.

Guy  2008-08-13 09:00:59
+6  A: 

I usually look for a way to contact developers or QA personnel and tell them instead. This is easier done when you're active in the developer community.

Sometimes admins/webmasters/whatever are actually helpdesk/marketing people who have little or no understanding of the vulnerability, or are otherwise loaded with so much work that they don't realize the gravity of such bugs.

Jon Limjap  2008-08-13 09:33:21
+5  A: 

If the website/product was developed on-top of a specific third party framework or library which may be at fault, I would report it to the third party, eg: Microsoft. If it's a bank, or a government website/applicaiton, there may be an appropriate government agency other than that which is hosting the application/site that you can report it to, eg: US-CERT.

Otherwise, finding a vulnerability in a framework/library I would report it to:

Your duty if the organization hosting the application fails to respond is to warn vulnerable users as best you can, and sharing the security risk and or implementations to exploit it only to the hosting organization, and reputable security researchers.

Chris  2008-08-25 15:20:11
+6  A: 

I once found myself in a similar situation. I emailed the company behind the site about the vulnerability, but got no response for several days. A few hours after going public (on my blog and forum) without disclosing the nature of the vulnerability it got fixed. The company went on to deny anything had ever went wrong.

Was it worth it? I'm certain it was, especially given the nature of the service that site has been providing (chances are you're a user).

Dmitry Shechtman  2008-08-30 08:52:39
+7  A: 

First off, I would notify them anonymously. Many people don't take criticism well, especially when it comes to security.

Secondly, I would ask myself how crucial the security issue is. If it's some random website, don't worry about it. Just let them be. They will either discover and fix the problem themselves, be exploited, or live in blissful ignorance of the situation. For most sites, it's not a big deal, and if they do get their database dropped they can always restore from a backup.

If it's your bank on the other hand, they have a responsibility to you as a customer, and you have every right to openly confront them about the issue. Just be polite and ask to be notified on how they plan to deal with it. Don't threaten to disclose the vulnerability; that will only piss them off. If they don't respond, contact the Better Business Bureau or the appropriate regulatory agency.

 2008-09-05 23:46:06
+4  A: 

Why would you be

trying out random sites for basic XSS/SQL Injection vulnerabilities

in the first place?

User  2009-04-23 15:15:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
PHP Session Security