How to inform about a website that it can be hacked?
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
What a bunch of paranoid pansies posting here Send me the details & I will check it out and let them know. Or Just email them & tell them - assuming g you didn't download the entire server contents and that you don't hold the to ransom, the no odys going to sue anyone succesfully. I look at it like picking up so domes dropped wallet - are you too afraid to return it in case they think you stole it? Do the right thing!
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
You have checked your credit card wasn't debited for l the downloads, have you? :)
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
I wonder if anyone commenting here, is actually one of the developers of the site. :laugh:
-
What about the fingerprints he is going to left behind? I would suggest altering his fingers with an acid before that.
There is only one Vera Farmiga and Salma Hayek is her prophet! Advertise here – minimum three posts per day are guaranteed.
Deyan Georgiev wrote:
I would suggest altering his fingers with an acid before that.
after, surely!
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
How about a good old fashioned letter, as a concerned citizen. Preferably after obtaining some 'advice' from a local advice bureau, or friendly lawyer, so that you have documentary evidence of being being on the good side. Sending an email is just more proof of misuse of your computer :)
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
the last guy who did it was sued here in Brazil, but the case was dropped. you'd be better off leaving some authority in security know about it, I'm sure there are companies in your country who do penetration testing, they are your best bet. you can also find on the website of the brand developer, if it is a site developed by a consultant, they probably left the contact at some point ... the consultancy for sure would be happy if you take the case to them and not the customer.
I'm brazilian and english (well, human languages in general) aren't my best skill, so, sorry by my english. (if you want we can speak in C# or VB.Net =p)
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Just tell them. If you get an ungrateful response, you can hammer the Hell out of them on message boards and by informing news sites/agencies.
I wanna be a eunuchs developer! Pass me a bread knife!
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Seriously, I think people here worry about it too much. Simply send them a friendly email, keep a copy of it so that if anything ensues you can prove you were acting in good faith. Only problem I can foresee is if you already took advantage to download something.
-
A mask will be highly suspicious, someone could call the authorities. A little face surgery, or temporally sex change, will be more appropriate given the circumstances.
There is only one Vera Farmiga and Salma Hayek is her prophet! Advertise here – minimum three posts per day are guaranteed.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
Not sure what might happen. You never can tell. A kid in Canada recently reported to the college he was attending that there was a flaw in their software that leaked personal information for all their students. He was expelled.
-
I think you should post the details on here first so we can all get what we want, maybe report it in a weeks time.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
You can be charged for anything, getting convicted would hopefully be impossible for such a scenario!
Several years back I was on a jury, the defendant was charged with the distribution of marijuana. Of the twelve jurors, 10 figured the defendant was guilty by reason of being charged, and were not moved by the overwhelming lack of evidence to support the charge. Such as the lack of audio video that demonstrated the defendant selling to a police officer. The only evidence to prove the case was marijuana paraphernalia, and a pound of uncleaned marijuana stored in the freezer which the defendant claimed to be for personal use. Based on his after trial statements, that pound of marijuana amounted to a months supply which is not entirely unreasonable. Smokers will store a carton of cigarettes in the freezer to maintain freshness. When the only of the two arresting officers that showed up for the trial was asked why an officer was not able to purchase marijuana from the defendant, the officer said "He was to good." In addition to this, the officer testified that; "Based on his professional opinion, no one would have that much marijuana unless they were distributing it." After the trial, the Prosecuting attorney and the officer came into the jury room to question the jury as to why the defendant was found guilty of the lesser charge of possession, a misdemeanor rather than the distribution charge which carried a mandatory life sentence. I made the following statement: "That could be a good party." The officer responded: "If you could assume that, you could have found him guilty." Not to many will miss the officers assertion, but in case you did: The officer expected a guilty verdict not because of evidence presented, but because of assumptions made. The other juror, which seen the same lack of evidence as I did happened to be an attorney. On the second day of deliberations, I told the jury straight out that I would not find the defendant guilty of distribution because there was no evidence to support the charge. Possession however, was obvious. This case should not have even gone to trial, it should have been plead out. So sad to tell you but, if you end up with a jury of 12 unthinking people who believe that only guilty people get charged with crimes, you are going to jail.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Document your findings, but do not explain exactly how you discovered the vulnerability. If possible, contact the company via email and telephone. I would first attempt to contact them via phone and explain that you've discovered a security vulnerability on their website. If they appear to lack interest, tell them no more. If they appear genuinely concerned, explain what you found (again though not how you found it) and why it’s a concern. If you’re paranoid, call them from a phone you do not own and do not give them your personal information.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
While it is not the same thing, I thought this was rather interesting: http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/[^]
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
It's sad that people are prosecuted for trying to help. Here are some ideas. 1. Go to a cyber cafe. 2. Don't use your real name. 3. Change your computer name to something unrelated to your real identity. 4. Override your MAC address 5. Connect to the cyber cafe internet. 6. Use a temporary email account 7. Send the company an email and explain the problem. I would be honest about the steps you took to conceal your identity and the reason why you did it. 8. After the email, put everything on your computer back the way it was.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
1. Put together a big document that includes screen shots and everything they need to know. You could mention that a similar copy will be mailed to a news organization in X months if you think it warrants immediate attention. This case did not sound like it. Fake CC or really CC some government agency if appropriate. 2. Print the document. 3. Go to a very busy copy center, wear a hat and a fake mustache(wig if female), make a copy (or threee) of your print document. Use (clean) salad tongs to remove the copies from the output tray and put them into the finger-print free mailer(s). 4. Use snail mail to mail the physical copies to the vendor. 5. Burn Originals 6. Reformat Hard Drive. 7. Change Internet Providers. 8. If they really do their job, you should expect a new charge on your credit card for the additional items you downloaded. (Good reason to always use gift cards with iffy shopping carts) They may not really care unless they catch someone else downloading all of their content and selling it on a different site.
-
1. Put together a big document that includes screen shots and everything they need to know. You could mention that a similar copy will be mailed to a news organization in X months if you think it warrants immediate attention. This case did not sound like it. Fake CC or really CC some government agency if appropriate. 2. Print the document. 3. Go to a very busy copy center, wear a hat and a fake mustache(wig if female), make a copy (or threee) of your print document. Use (clean) salad tongs to remove the copies from the output tray and put them into the finger-print free mailer(s). 4. Use snail mail to mail the physical copies to the vendor. 5. Burn Originals 6. Reformat Hard Drive. 7. Change Internet Providers. 8. If they really do their job, you should expect a new charge on your credit card for the additional items you downloaded. (Good reason to always use gift cards with iffy shopping carts) They may not really care unless they catch someone else downloading all of their content and selling it on a different site.