How to inform about a website that it can be hacked?
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
I have done this several times, notifying people of SQL injection vulnerabilities and so on. In one case, it was with a desktop app - their "create a chat room" portion of the app allowed SQL injection. They were happy that I notified them in that case. In the case of a few web sites, I never heard anything back from them but the email didn't bounce. I think you could defend this behavior in court IF you didn't take advantage of the vulnerability.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Which porn site was it?? *readies pen*
Michael J. Collins Web Application Programmer
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
Testing a website's defences without their permission doesn't benefit you in any way and can only harm you. If I were you, I'd just forget I ever figured this out. If they came after me, I'd make them prove I actually stole anything, which since you didn't, they'd be hard pressed to prove. Just don't do it again to anybody and you should be fine.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
What a bunch of paranoid pansies posting here Send me the details & I will check it out and let them know. Or Just email them & tell them - assuming g you didn't download the entire server contents and that you don't hold the to ransom, the no odys going to sue anyone succesfully. I look at it like picking up so domes dropped wallet - are you too afraid to return it in case they think you stole it? Do the right thing!
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
_Maxxx_ wrote:
What a bunch of paranoid pansies posting here
I am guessing that neither you nor anyone you have known has ever been wrongly accused of a crime. Nor that you nor anyone you have known has ever been sued by a mid to large company. Nor read about anyone in similar circumstances. Of course the above can be less of a problem if one is very wealthy since then fighting the good fight will not bankrupt you. Nor the personal time spent in resolving the matter will not adversely effect ones finances either.
_Maxxx_ wrote:
Do the right thing!
As in all things involving humans that is not black and white. And one might not want to risk destroying their own life and perhaps the life of their family as well simply to protect the financial interests of those one does not even know.
-
And shaving his body so he doesn't leave hair behind; wouldn't want trace DNA coming back and biting him. Oh, and while he's at it, he should wear a mask to thwart video surveillance.
*pre-emptive celebratory nipple tassle jiggle* - Sean Ewington
"Mind bleach! Send me mind bleach!" - Nagy Vilmos
CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier
Or heavy, professional make-up.
-
Actually, he was excluded after... 1. He reported the fault. 2. The college warned him not to carry on attempting. 3. He attempted to penetrate the system using industrial grade penetration software. It was at this stage they felt it necessary to exclude him. He also received various warnings following the college's formal exclusion procedures. So, if you report it and they ask you not to carry on, best not.
-
Actually, he was excluded after... 1. He reported the fault. 2. The college warned him not to carry on attempting. 3. He attempted to penetrate the system using industrial grade penetration software. It was at this stage they felt it necessary to exclude him. He also received various warnings following the college's formal exclusion procedures. So, if you report it and they ask you not to carry on, best not.
The kid in question was probing a service which was making it possible for anybody to find out his personal details. If after being expelled for trying to break into the service a second time he succeeded, I'd argue he has a strong case to sue the college for recklessly and carelessly handling his and other thousands of students' personal data. If I was him, I'd obviously talk to a lawyer.
-
_Maxxx_ wrote:
What a bunch of paranoid pansies posting here
I am guessing that neither you nor anyone you have known has ever been wrongly accused of a crime. Nor that you nor anyone you have known has ever been sued by a mid to large company. Nor read about anyone in similar circumstances. Of course the above can be less of a problem if one is very wealthy since then fighting the good fight will not bankrupt you. Nor the personal time spent in resolving the matter will not adversely effect ones finances either.
_Maxxx_ wrote:
Do the right thing!
As in all things involving humans that is not black and white. And one might not want to risk destroying their own life and perhaps the life of their family as well simply to protect the financial interests of those one does not even know.
Well, you are guessing wrong. In any case, there is precaution and there is paranoia. Just because something happens on occasion doesn't mean we should change behavior beyond reason. You say things like the risk of destroying their own life. Come on - how big a risk? Paranoid pansies, the lot of you!
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
Which porn site was it?? *readies pen*
Michael J. Collins Web Application Programmer
Readies penis Ftfy
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
I have two solutions for you. First be partially honest. Email them and inform them that you have found a hole in their website that allows free downloads of their material. DO NOT tell them that you have already done this. Tell them you can point this out for them but you want indemnity. Then once they agree point out the flaw and what you did. If that sounds a bit too complex and time consuming my next suggestion is to take the Darwinism approach. Post the vulnerability on some less that reputable sites and let nature take its course. Either they will find the hole themselves and fix it, or lose so much revenue that they will have to shut up shop.
-
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased. How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
-
Testing a website's defences without their permission doesn't benefit you in any way and can only harm you. If I were you, I'd just forget I ever figured this out. If they came after me, I'd make them prove I actually stole anything, which since you didn't, they'd be hard pressed to prove. Just don't do it again to anybody and you should be fine.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
-
Well, you are guessing wrong. In any case, there is precaution and there is paranoia. Just because something happens on occasion doesn't mean we should change behavior beyond reason. You say things like the risk of destroying their own life. Come on - how big a risk? Paranoid pansies, the lot of you!
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
_Maxxx_ wrote:
Come on - how big a risk?
Err...did you read the link that someone else posted about a university student being expelled for cause for reporting a security problem? The way that person was expelled not only limits their options at that university but other universities. And this is not an isolated instance.
-
Actually, he was excluded after... 1. He reported the fault. 2. The college warned him not to carry on attempting. 3. He attempted to penetrate the system using industrial grade penetration software. It was at this stage they felt it necessary to exclude him. He also received various warnings following the college's formal exclusion procedures. So, if you report it and they ask you not to carry on, best not.
Rob Grainger wrote:
2. The college warned him not to carry on attempting.
Could you post the link that says that?
Rob Grainger wrote:
He also received various warnings following the college's formal exclusion procedures.
Could you post the link that says that?
-
_Maxxx_ wrote:
Come on - how big a risk?
Err...did you read the link that someone else posted about a university student being expelled for cause for reporting a security problem? The way that person was expelled not only limits their options at that university but other universities. And this is not an isolated instance.
jschell wrote:
did you read the link
Yes I did
jschell wrote:
being expelled for cause for reporting a security problem?
Well, if you read it you will see that the case isn't quite as simple - although he discovered and reported the vulnerability he was expelled for scanning the system two days later. In any case, this is a single event.
jschell wrote:
The way that person was expelled not only limits their options at that university but other universities.
He's been offered places and scholarships, so all's well.
jschell wrote:
And this is not an isolated instance.
Links? references? I, personally, have reported a number of security issues at a number of web sites over the years; these range from word documents sent out containing the (deleted) information of other subscribers, including credit card details, site vulnerabilities similar to the one mentioned by the OP and even one where bypassing the password page simply let you into the system. I have never received any negative comeback. If I have done it I can assume that others have too. Obviously some at least one have done it and found trouble. What's the difference between those that find trouble and those that don't? Those that do get publicity. There could be millions of unreported, unremarkable incidents going on, with one or two having bad results for the perp - who knows?
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
-
jschell wrote:
did you read the link
Yes I did
jschell wrote:
being expelled for cause for reporting a security problem?
Well, if you read it you will see that the case isn't quite as simple - although he discovered and reported the vulnerability he was expelled for scanning the system two days later. In any case, this is a single event.
jschell wrote:
The way that person was expelled not only limits their options at that university but other universities.
He's been offered places and scholarships, so all's well.
jschell wrote:
And this is not an isolated instance.
Links? references? I, personally, have reported a number of security issues at a number of web sites over the years; these range from word documents sent out containing the (deleted) information of other subscribers, including credit card details, site vulnerabilities similar to the one mentioned by the OP and even one where bypassing the password page simply let you into the system. I have never received any negative comeback. If I have done it I can assume that others have too. Obviously some at least one have done it and found trouble. What's the difference between those that find trouble and those that don't? Those that do get publicity. There could be millions of unreported, unremarkable incidents going on, with one or two having bad results for the perp - who knows?
MVVM# - See how I did MVVM my way ___________________________________________ Man, you're a god. - walterhevedeich 26/05/2011 .\\axxx (That's an 'M')
_Maxxx_ wrote:
Well, if you read it you will see that the case isn't quite as simple - although he discovered and reported the vulnerability he was expelled for scanning the system two days later.
So the university claims.
_Maxxx_ wrote:
In any case, this is a single event.
Hardly. It is a recent and well publicized event. There are others with varying degrees of problems.
_Maxxx_ wrote:
He's been offered places and scholarships, so all's well.
Hindsight is a wonderful thing but hardly relevant. It doesn't negate what happened.
_Maxxx_ wrote:
Links? references?
I don't believe it is either my job nor my moral duty to educate you. I found the following after less then 5 minutes of searching and these are NOT ones that I am already familiar with. http://www.wpbf.com/Employees-Fired-After-Reporting-Security-Breach/-/8789538/5096936/-/ykd8l4z/-/index.html[^] http://www.splc.org/news/newsflash.asp?id=1621[^]
_Maxxx_ wrote:
I, personally, have reported a number of security issues at a number of web sites over the year
And prosecutors, law enforcement and officers of an institution all can use their discretion in determining which actionable cases they pursue along with how they react. The fact that they have chosen a outcome that did not harm you doesn't mean the one single negative case would not have severely impacted you.
_Maxxx_ wrote:
What's the difference between those that find trouble and those that don't? Those that do get publicity.
Wrong. Again it is not my job to educate you. The difference is only that finding out about the publicized cases is easy and those cases are more likely to result in a positive outcome for the individual accused. It is more likely that there are many ne
-
I think you should post the details on here first so we can all get what we want, maybe report it in a weeks time.