How to inform about a website that it can be hacked?
-
What about the fingerprints he is going to left behind? I would suggest altering his fingers with an acid before that.
There is only one Vera Farmiga and Salma Hayek is her prophet! Advertise here – minimum three posts per day are guaranteed.
And shaving his body so he doesn't leave hair behind; wouldn't want trace DNA coming back and biting him. Oh, and while he's at it, he should wear a mask to thwart video surveillance.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
-
I wish I remembered the article I read a few weeks (months) back. Basically, it was about a guy being charged for hacking because he changed the URL parameters when he visited a site. So, be careful with your decision. The laws are so strict and the punishments are so harsh now (e.g. Aaron Swartz) that I am even afraid to post anything on the web.
This? Somewhat similar to what you're talking about.
-
And shaving his body so he doesn't leave hair behind; wouldn't want trace DNA coming back and biting him. Oh, and while he's at it, he should wear a mask to thwart video surveillance.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
A mask will be highly suspicious, someone could call the authorities. A little face surgery, or temporally sex change, will be more appropriate given the circumstances.
There is only one Vera Farmiga and Salma Hayek is her prophet! Advertise here – minimum three posts per day are guaranteed.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
Well they could still track his IP address. That said I'd think they'd be happy that he reported this to them.
Regards, Nish
My technology blog: voidnish.wordpress.com
Nish Sivakumar wrote:
That said I'd think they'd be happy that he reported this to them.
In general that is unlikely to be true. One can suppose any number of corporate scenarios - Company bought the shopping cart software. - Company contracts via another company for a shopping cart site. - Large company with small in house development. - Company which contracted custom site. - Small company with large (compared to rest of company) development staff. I suspect that only the last would be happy about it.
-
Anonymous email can not be a foolproof solution since it can also be traced. Now after reading all these replies, I think it will be a waste of my hard earned money to send a international snail mail to a person who can get me sued..
aspnet_regiis -i wrote:
Anonymous email can not be a foolproof solution since it can also be traced.
Rather certain that is not true. There is of course a difference between annoymous email and just creating an email account and using ficticious registration information.
-
One option is to send your email via proxy. Not the internet kind but the classic kind. If you have a friend who lives out of state or even better out of the country, better yet a lawyer, just send your message to them and get them to copy and paste it into a new email, to trash the headers. That way your friend can honestly say it wasn't him but he is just informing them on behalf of another concerned friend of his/hers. This way your friend has absolutely no connection with the site, make sure they haven't purchased something from them before, and you are safe because your friend wouldn't tell them who you are ... even when their pulling your friends fingernails out. This even seems to be a little much because, as it was pointed out before, the website owner/developer will sure be happy someone pointed it out instead of posting the details online and costing them potentially thousands of dollars in lost sales.
Don't comment your code - it was hard to write, it should be hard to read!
Adam R Harris wrote:
That way your friend can honestly say it wasn't him but he is just informing them on behalf of another concerned friend of his/hers
Bad idea. At least in the US, if the friend fails to give you up then they are probably going to get a felony conviction.
Adam R Harris wrote:
the website owner/developer will sure be happy someone pointed it out
Wrong. There are many possible outcomes. Some possible ones but not a complete list follow. 1. Company reports it to authorities as hacking 2. Company ignores it 3. Company wants to fix it. And without any other information about the company one has no idea how they will take the news.
-
RedDK wrote:
US Postal Service ... no return address.
That can be safe but also risky depending on the company and location. If one does that then minimizing risk can include. - Do not hand write it. - Do not use ones own printer - Do not use a printer from a location that one frequently uses. - Do not post immediately after printing (to preclude video survellience from location.) - Do not mail locally (in a larger city driving across town is sufficient.) - Handle the paper, envelope and stamps with gloves (buy all new from a location not frequented.) - Do not lick the stamp/envelope.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
What a bunch of paranoid pansies posting here Send me the details & I will check it out and let them know. Or Just email them & tell them - assuming g you didn't download the entire server contents and that you don't hold the to ransom, the no odys going to sue anyone succesfully. I look at it like picking up so domes dropped wallet - are you too afraid to return it in case they think you stole it? Do the right thing!
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
You have checked your credit card wasn't debited for l the downloads, have you? :)
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
I wonder if anyone commenting here, is actually one of the developers of the site. :laugh:
-
What about the fingerprints he is going to left behind? I would suggest altering his fingers with an acid before that.
There is only one Vera Farmiga and Salma Hayek is her prophet! Advertise here – minimum three posts per day are guaranteed.
Deyan Georgiev wrote:
I would suggest altering his fingers with an acid before that.
after, surely!
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
How about a good old fashioned letter, as a concerned citizen. Preferably after obtaining some 'advice' from a local advice bureau, or friendly lawyer, so that you have documentary evidence of being being on the good side. Sending an email is just more proof of misuse of your computer :)
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
the last guy who did it was sued here in Brazil, but the case was dropped. you'd be better off leaving some authority in security know about it, I'm sure there are companies in your country who do penetration testing, they are your best bet. you can also find on the website of the brand developer, if it is a site developed by a consultant, they probably left the contact at some point ... the consultancy for sure would be happy if you take the case to them and not the customer.
I'm brazilian and english (well, human languages in general) aren't my best skill, so, sorry by my english. (if you want we can speak in C# or VB.Net =p)
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Just tell them. If you get an ungrateful response, you can hammer the Hell out of them on message boards and by informing news sites/agencies.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Seriously, I think people here worry about it too much. Simply send them a friendly email, keep a copy of it so that if anything ensues you can prove you were acting in good faith. Only problem I can foresee is if you already took advantage to download something.
-
A mask will be highly suspicious, someone could call the authorities. A little face surgery, or temporally sex change, will be more appropriate given the circumstances.
There is only one Vera Farmiga and Salma Hayek is her prophet! Advertise here – minimum three posts per day are guaranteed.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.