How to inform about a website that it can be hacked?
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
While it is not the same thing, I thought this was rather interesting: http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/[^]
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
It's sad that people are prosecuted for trying to help. Here are some ideas. 1. Go to a cyber cafe. 2. Don't use your real name. 3. Change your computer name to something unrelated to your real identity. 4. Override your MAC address 5. Connect to the cyber cafe internet. 6. Use a temporary email account 7. Send the company an email and explain the problem. I would be honest about the steps you took to conceal your identity and the reason why you did it. 8. After the email, put everything on your computer back the way it was.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
1. Put together a big document that includes screen shots and everything they need to know. You could mention that a similar copy will be mailed to a news organization in X months if you think it warrants immediate attention. This case did not sound like it. Fake CC or really CC some government agency if appropriate. 2. Print the document. 3. Go to a very busy copy center, wear a hat and a fake mustache(wig if female), make a copy (or threee) of your print document. Use (clean) salad tongs to remove the copies from the output tray and put them into the finger-print free mailer(s). 4. Use snail mail to mail the physical copies to the vendor. 5. Burn Originals 6. Reformat Hard Drive. 7. Change Internet Providers. 8. If they really do their job, you should expect a new charge on your credit card for the additional items you downloaded. (Good reason to always use gift cards with iffy shopping carts) They may not really care unless they catch someone else downloading all of their content and selling it on a different site.
-
1. Put together a big document that includes screen shots and everything they need to know. You could mention that a similar copy will be mailed to a news organization in X months if you think it warrants immediate attention. This case did not sound like it. Fake CC or really CC some government agency if appropriate. 2. Print the document. 3. Go to a very busy copy center, wear a hat and a fake mustache(wig if female), make a copy (or threee) of your print document. Use (clean) salad tongs to remove the copies from the output tray and put them into the finger-print free mailer(s). 4. Use snail mail to mail the physical copies to the vendor. 5. Burn Originals 6. Reformat Hard Drive. 7. Change Internet Providers. 8. If they really do their job, you should expect a new charge on your credit card for the additional items you downloaded. (Good reason to always use gift cards with iffy shopping carts) They may not really care unless they catch someone else downloading all of their content and selling it on a different site.
-
1. Put together a big document that includes screen shots and everything they need to know. You could mention that a similar copy will be mailed to a news organization in X months if you think it warrants immediate attention. This case did not sound like it. Fake CC or really CC some government agency if appropriate. 2. Print the document. 3. Go to a very busy copy center, wear a hat and a fake mustache(wig if female), make a copy (or threee) of your print document. Use (clean) salad tongs to remove the copies from the output tray and put them into the finger-print free mailer(s). 4. Use snail mail to mail the physical copies to the vendor. 5. Burn Originals 6. Reformat Hard Drive. 7. Change Internet Providers. 8. If they really do their job, you should expect a new charge on your credit card for the additional items you downloaded. (Good reason to always use gift cards with iffy shopping carts) They may not really care unless they catch someone else downloading all of their content and selling it on a different site.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
I have done this several times, notifying people of SQL injection vulnerabilities and so on. In one case, it was with a desktop app - their "create a chat room" portion of the app allowed SQL injection. They were happy that I notified them in that case. In the case of a few web sites, I never heard anything back from them but the email didn't bounce. I think you could defend this behavior in court IF you didn't take advantage of the vulnerability.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Which porn site was it?? *readies pen*
Michael J. Collins Web Application Programmer
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Testing a website's defences without their permission doesn't benefit you in any way and can only harm you. If I were you, I'd just forget I ever figured this out. If they came after me, I'd make them prove I actually stole anything, which since you didn't, they'd be hard pressed to prove. Just don't do it again to anybody and you should be fine.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
What a bunch of paranoid pansies posting here Send me the details & I will check it out and let them know. Or Just email them & tell them - assuming g you didn't download the entire server contents and that you don't hold the to ransom, the no odys going to sue anyone succesfully. I look at it like picking up so domes dropped wallet - are you too afraid to return it in case they think you stole it? Do the right thing!
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
_Maxxx_ wrote:
What a bunch of paranoid pansies posting here
I am guessing that neither you nor anyone you have known has ever been wrongly accused of a crime. Nor that you nor anyone you have known has ever been sued by a mid to large company. Nor read about anyone in similar circumstances. Of course the above can be less of a problem if one is very wealthy since then fighting the good fight will not bankrupt you. Nor the personal time spent in resolving the matter will not adversely effect ones finances either.
_Maxxx_ wrote:
Do the right thing!
As in all things involving humans that is not black and white. And one might not want to risk destroying their own life and perhaps the life of their family as well simply to protect the financial interests of those one does not even know.
-
And shaving his body so he doesn't leave hair behind; wouldn't want trace DNA coming back and biting him. Oh, and while he's at it, he should wear a mask to thwart video surveillance.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
Or heavy, professional make-up.
-
Actually, he was excluded after... 1. He reported the fault. 2. The college warned him not to carry on attempting. 3. He attempted to penetrate the system using industrial grade penetration software. It was at this stage they felt it necessary to exclude him. He also received various warnings following the college's formal exclusion procedures. So, if you report it and they ask you not to carry on, best not.
-
Actually, he was excluded after... 1. He reported the fault. 2. The college warned him not to carry on attempting. 3. He attempted to penetrate the system using industrial grade penetration software. It was at this stage they felt it necessary to exclude him. He also received various warnings following the college's formal exclusion procedures. So, if you report it and they ask you not to carry on, best not.
The kid in question was probing a service which was making it possible for anybody to find out his personal details. If after being expelled for trying to break into the service a second time he succeeded, I'd argue he has a strong case to sue the college for recklessly and carelessly handling his and other thousands of students' personal data. If I was him, I'd obviously talk to a lawyer.
-
_Maxxx_ wrote:
What a bunch of paranoid pansies posting here
I am guessing that neither you nor anyone you have known has ever been wrongly accused of a crime. Nor that you nor anyone you have known has ever been sued by a mid to large company. Nor read about anyone in similar circumstances. Of course the above can be less of a problem if one is very wealthy since then fighting the good fight will not bankrupt you. Nor the personal time spent in resolving the matter will not adversely effect ones finances either.
_Maxxx_ wrote:
Do the right thing!
As in all things involving humans that is not black and white. And one might not want to risk destroying their own life and perhaps the life of their family as well simply to protect the financial interests of those one does not even know.
Well, you are guessing wrong. In any case, there is precaution and there is paranoia. Just because something happens on occasion doesn't mean we should change behavior beyond reason. You say things like the risk of destroying their own life. Come on - how big a risk? Paranoid pansies, the lot of you!
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
Which porn site was it?? *readies pen*
Michael J. Collins Web Application Programmer
Readies penis Ftfy
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
I have two solutions for you. First be partially honest. Email them and inform them that you have found a hole in their website that allows free downloads of their material. DO NOT tell them that you have already done this. Tell them you can point this out for them but you want indemnity. Then once they agree point out the flaw and what you did. If that sounds a bit too complex and time consuming my next suggestion is to take the Darwinism approach. Post the vulnerability on some less that reputable sites and let nature take its course. Either they will find the hole themselves and fix it, or lose so much revenue that they will have to shut up shop.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
Testing a website's defences without their permission doesn't benefit you in any way and can only harm you. If I were you, I'd just forget I ever figured this out. If they came after me, I'd make them prove I actually stole anything, which since you didn't, they'd be hard pressed to prove. Just don't do it again to anybody and you should be fine.
We can program with only 1's, but if all you've got are zeros, you've got nothing.