How to inform about a website that it can be hacked?
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
If I wanted to tell them (and I wouldn't) I would just send an email to whatever contact I had. If you have screenshots, so much the better.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
aspnet_regiis -i wrote:
How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability .
If I was the owner of the website I'd give you free downloads for life for showing me the vulnerability :thumbsup:
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
I wish I remembered the article I read a few weeks (months) back. Basically, it was about a guy being charged for hacking because he changed the URL parameters when he visited a site. So, be careful with your decision. The laws are so strict and the punishments are so harsh now (e.g. Aaron Swartz) that I am even afraid to post anything on the web.
-
I wish I remembered the article I read a few weeks (months) back. Basically, it was about a guy being charged for hacking because he changed the URL parameters when he visited a site. So, be careful with your decision. The laws are so strict and the punishments are so harsh now (e.g. Aaron Swartz) that I am even afraid to post anything on the web.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
How about posting an anonymous letter with the details about the venerability , may be from a different state or something so that there won't be a trace. Still don't recommend anonymous emails because you never know that can be easily traceable through your IP Address. Thanks,
Ranjan.D
-
How about posting an anonymous letter with the details about the venerability , may be from a different state or something so that there won't be a trace. Still don't recommend anonymous emails because you never know that can be easily traceable through your IP Address. Thanks,
Ranjan.D
-
How about posting an anonymous letter with the details about the venerability , may be from a different state or something so that there won't be a trace. Still don't recommend anonymous emails because you never know that can be easily traceable through your IP Address. Thanks,
Ranjan.D
well, you could go through a proxy web service to a second proxy then to the web mail.... :-D
Beauty is in the eye of the beer-holder Be careful which toes you step on today, they might be connected to the foot that kicks your butt tomorrow. You can't scare me, I have children.
-
well, you could go through a proxy web service to a second proxy then to the web mail.... :-D
Beauty is in the eye of the beer-holder Be careful which toes you step on today, they might be connected to the foot that kicks your butt tomorrow. You can't scare me, I have children.
-
Thank you for the advice Ranjan :rose:... But after reading all the replies , I have come to a conclusion that honesty can get me killed... Why take chances? Let other people enjoy the free goods. Since those are digital good, it will never run out-of-stock...
-
well, you could go through a proxy web service to a second proxy then to the web mail.... :-D
Beauty is in the eye of the beer-holder Be careful which toes you step on today, they might be connected to the foot that kicks your butt tomorrow. You can't scare me, I have children.
-
If you're worried about potential repercussions, and you have acted in good faith, I would suggest that you should just create a one off email account, and then send them the details.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
Well they could still track his IP address. That said I'd think they'd be happy that he reported this to them.
Regards, Nish
My technology blog: voidnish.wordpress.com
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
You are probably right that you should be careful here. The webshop owner will forward this to the webshop creator and assuming they'll try anything to avoid a legal consequences themselves, they may try to sue you instead. A judge may not fully understand the difference between testing a website and "testing" if you could steal a car (even if someone left the keys in the ignition). So protecting your anonymity is probably advisable in this case.
.
-
Well they could still track his IP address. That said I'd think they'd be happy that he reported this to them.
Regards, Nish
My technology blog: voidnish.wordpress.com
I hesitated to mention that if he was so paranoid on it, he could visit a cyber-cafe to send the message.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
One option is to send your email via proxy. Not the internet kind but the classic kind. If you have a friend who lives out of state or even better out of the country, better yet a lawyer, just send your message to them and get them to copy and paste it into a new email, to trash the headers. That way your friend can honestly say it wasn't him but he is just informing them on behalf of another concerned friend of his/hers. This way your friend has absolutely no connection with the site, make sure they haven't purchased something from them before, and you are safe because your friend wouldn't tell them who you are ... even when their pulling your friends fingernails out. This even seems to be a little much because, as it was pointed out before, the website owner/developer will sure be happy someone pointed it out instead of posting the details online and costing them potentially thousands of dollars in lost sales.
Don't comment your code - it was hard to write, it should be hard to read!
-
I wish I remembered the article I read a few weeks (months) back. Basically, it was about a guy being charged for hacking because he changed the URL parameters when he visited a site. So, be careful with your decision. The laws are so strict and the punishments are so harsh now (e.g. Aaron Swartz) that I am even afraid to post anything on the web.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
aspnet_regiis -i wrote:
I have come to a conclusion that honesty can get me killed[^].
What in the heck kind of software are you downloading? Never mind... :~
It was broke, so I fixed it.
-
I hesitated to mention that if he was so paranoid on it, he could visit a cyber-cafe to send the message.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
What about the fingerprints he is going to left behind? I would suggest altering his fingers with an acid before that.
There is only one Vera Farmiga and Salma Hayek is her prophet! Advertise here – minimum three posts per day are guaranteed.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
aspnet_regiis -i wrote:
Will the website owner charge me with the offense of hacking since the goods I did not pay for
That would be pretty sad if they do. They should consider it damage control cost and be thankful that you saved their a**es.
I wasn't, now I am, then I won't be anymore.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
I saw something similar on a beverage company's website once. You gave them a username and password to log in. Once you did you saw &clientID=123 in the URL. By changing this you could see ANY of their other clients information and place orders for them. Does Bob in Connecticut need $1200 of french roast? Only one way to find out... :rolleyes:
Play my game Gravity: IOS[^], Android[^], Windows Phone 7[^]
-
aspnet_regiis -i wrote:
Will the website owner charge me with the offense of hacking since the goods I did not pay for
That would be pretty sad if they do. They should consider it damage control cost and be thankful that you saved their a**es.
I wasn't, now I am, then I won't be anymore.
