What should you do when coming across a publicly accessible security vulnerability?

Question

I was browsing and came across a rather back-end state-government site that's vulnerable to SQL injection. (Searching for a ' yielded an error, and I toyed around with it until I got a list of tables.)

I know the proper thing to do is to alert the webmaster of the problem, but I've had bad luck simply sending an email. I've done this two times prior. The first time I received a "Thanks" with the problem not being fixed. The second time I got back nothing. I would much prefer the problem fixed, as my own data could potentially be released.

What is the most effective and professional way to tell a third party that their website or software product has a security vulnerability? Especially when you have no professional contact with the company or organization whatsoever?

Answer 1

Showing them an example of the vulnerability that's a bit less harmful that dropping all their tables might get their attention. Try sending a link that displays an admin password for the site in plain text on the page.

Answer 2

Unfortunately, the "safe" answer is probably that you should consult a lawyer before doing anything. There have been a number of cases where something like this has happened, and someone in the responsibility chain for the site got into enough trouble / was embarrassed enough / was clueless enough over it that they lashed out at the person trying to report the problem. The end result was the person who was trying to be helpful and protect everyone's information was at least threatened with prosecution for hacking, and in some cases the state went through with it. Under some interpretations of federal law (not to mention variations in state laws), what you've described here has already crossed the threshold of legality. It'd really suck to try to bring this to their attention to get it fixed, and wind up in court yourself.

Answer 3

Hi David,

The 'right' thing to do here is obvious - get the point across to the person who can make something happen. I think we have an obligation to do good where we can, but that's me.

There is nothing wrong, I think, with contacting them via a phone call and explain to them the gravity of the situation. If the webmaster is blowing you off, bypass her/him and go up the chain - theoretically, the state works for you (assuming it is your state) and should be accountable to you.

Of course, letting them know that the newspaper is going to find out about how unsecure the website is might expedite the situation. No state agency wants some reporter writing something in the paper.

I do agree with Thomee though - you need to CYA on this because it could get you in trouble.