|
Posted by fellamelad on April 24, 2007, 5:38 am
If you were Registered and logged in, you could reply and use other advanced thread options
I've discovered a very huge security hole in a personals website with
well over a million subscribers. The site is extrememly popular, and
as it's a paid-subscription service they are more than likely making a
fair bit of money from it.
You would think that in such a situation, they would have fairly
bullet-proof security - I'm no hacker, but have found out that just by
changing one client-side cookie, I can have free access to a large
amount of information on any subscriber of the site. With a bit more
digging - but still not using any scripting or established hacking
methods - I've found it's possible to uncover even more information
and spoof any user's account.
The question is: what do I do with this information? I've thought of
approaching the site in question and telling them - but is there any
way I can spin this whereby I could expect payment for giving them
this information - without resorting to methods that could be
interpreted as extortion and blackmail obviously... I have thought of
approaching them as a security consultant (I am a web developer and
some of my job is server administration)...
Grateful for any feedback/advice.
|
|
Posted by David H. Lipman on April 24, 2007, 7:40 am
If you were Registered and logged in, you could reply and use other advanced thread options
| I've discovered a very huge security hole in a personals website with
| well over a million subscribers. The site is extrememly popular, and
| as it's a paid-subscription service they are more than likely making a
| fair bit of money from it.
| You would think that in such a situation, they would have fairly
| bullet-proof security - I'm no hacker, but have found out that just by
| changing one client-side cookie, I can have free access to a large
| amount of information on any subscriber of the site. With a bit more
| digging - but still not using any scripting or established hacking
| methods - I've found it's possible to uncover even more information
| and spoof any user's account.
| The question is: what do I do with this information? I've thought of
| approaching the site in question and telling them - but is there any
| way I can spin this whereby I could expect payment for giving them
| this information - without resorting to methods that could be
| interpreted as extortion and blackmail obviously... I have thought of
| approaching them as a security consultant (I am a web developer and
| some of my job is server administration)...
| Grateful for any feedback/advice.
Contact the admin/webmaster and tell the truth about what you found.
Do NOT ask for compenstation!
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Leythos on April 24, 2007, 7:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
> The question is: what do I do with this information? I've thought of
> approaching the site in question and telling them - but is there any way
> I can spin this whereby I could expect payment for giving them this
> information
You already know what to do with the information - alert them immediately.
As for the rest, you appear to want to hack sites to make a buck - that's
unethical. If you were not requested to attempt to hack their site then
you are being unethical in doing so.
--
Leythos
Igitur qui desiderat pacem, praeparet bellum.
spam999free@rrohio.com (remove 999 for proper email address)
|
|
Posted by Unruh on April 24, 2007, 12:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
>>
>> The question is: what do I do with this information? I've thought of
>> approaching the site in question and telling them - but is there any way
>> I can spin this whereby I could expect payment for giving them this
>> information
>You already know what to do with the information - alert them immediately.
>As for the rest, you appear to want to hack sites to make a buck - that's
>unethical. If you were not requested to attempt to hack their site then
>you are being unethical in doing so.
Nuts. He did not "hack their site" if what he said was true. He changed
something on his OWN computer, which caused the far side to divulge info.
Yours is the standard establishment position of whistle blowers-- they did
not follow protocol. If his description is correct, then ethically he
should report it, not only to the establishment but also to CERT. And if
they have not fixed it in some short period of time, report it to the
community.
As for compensation, that is trickier. Ethically they should compensate
him. It is through his efforts that a security flaw has been discovered.
But legally it is pretty dicey. And attempts to "extort" money from them
would cross the legal line.
|
|
Posted by kurt wismer on April 24, 2007, 11:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> On Tue, 24 Apr 2007 02:38:42 -0700, fellamelad wrote:
>>> The question is: what do I do with this information? I've thought of
>>> approaching the site in question and telling them - but is there any way
>>> I can spin this whereby I could expect payment for giving them this
>>> information
>
>> You already know what to do with the information - alert them immediately.
>
>> As for the rest, you appear to want to hack sites to make a buck - that's
>> unethical. If you were not requested to attempt to hack their site then
>> you are being unethical in doing so.
>
> Nuts. He did not "hack their site" if what he said was true.
if he tested what he claims is possible then he most certainly did
'hack' their site... the confidentiality of the information in any
accounts he accessed has been compromised regardless of whether he made
any server side changes...
it is essentially equivalent to a pen-test without permission (and
pen-testers most certainly can get in deep trouble if they don't first
get permission)... if he's going to report it then he might want to
consider doing so anonymously (which more or less precludes compensation)...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
|
| Similar Threads | Posted | | Website security | June 20, 2006, 10:13 pm |
| Excellent website for IT Security professionals | January 2, 2008, 12:22 pm |
| Security Flaw: Any website can read your clipboard text | September 18, 2005, 8:12 am |
| Ban from website | November 15, 2005, 11:45 am |
| A new website | July 29, 2006, 6:45 pm |
| reaching website | April 5, 2006, 8:59 am |
| our website was hacked !!! | March 6, 2007, 5:09 pm |
| NNTP Problems | November 27, 2005, 8:30 pm |
| OT: Help, bios problems! | March 8, 2007, 10:40 pm |
| Any problems with AVG8? | May 15, 2008, 7:56 pm |
|
XML site map