Wondering if I should take advantage of this security hole.

"Please leave a message at the beep, we will get back to you when your support contract expires."

Moderators: phlip, Moderators General, Prelates

What should I do here?

Ask for money
5
13%
Ask for a job
17
45%
Just walk away
16
42%
 
Total votes: 38

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Wondering if I should take advantage of this security hole.

Postby '; DROP DATABASE;-- » Tue Feb 19, 2008 7:54 am UTC

So while I was bored I discovered a fairly massive security hole in a fairly large company's website. We're talking full-on SQL injection, complete with being able to stick "'; another query here; --" in the string, and write access. Now I'm not the type/dumb enough to just deface the website for fun (despite what my name may imply :P) or try to blackmail the owners with "fork over cash or I wipe the database", but I am broke.

Now this particular database contains a lot of old records, which you can still see by putting their ID in the URL, but which aren't actually linked from anywhere. Basically the only way someone would notice a change to one of these records is if they randomly guessed its ID (quite unlikely) or were looking through the database like I was. So I had an idea.

I figured I could just leave a message in one of these records, and then email them pointing it out. Tell them I'll explain how I did it for a couple hundred bucks, and explain that this is not a threat and I'm not going to fuck with things if they refuse. But with all the paranoia surrounding hacking, I fear they may freak out and call the police or something. I don't know how much legal trouble one can get in for this sort of thing if they don't actually cause any damage, and of course I would have to give them some way to send the money which would be easily traceable.

Or maybe instead of asking for money I should apply for a job as a security consultant or something along those lines? Judging by the table structure, outdated records, misspelled column names, and severity of the hole (I really don't think they do any input sanitization whatsoever), they could probably use one. Just make it like a typical "I want a job" email, and under experience/references/etc link to a record that I've altered. I've heard of people having success with this method, but at the same time, I'd probably have to have some sort of work-from-home thing going and that's unlikely to work out.

Anyone think this is a good idea? Given how easy this hole was to find, and how severe it is (I verified I was able to alter records, but I changed them back afterward) I imagine it's only a matter of time before someone else finds it and just wipes everything.

(I live in Alberta, BTW, if that helps any of you lawyers out there.)
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

User avatar
Zak
Posts: 2230
Joined: Sun Dec 16, 2007 7:25 am UTC
Location: In the making.

Re: Wondering if I should take advantage of this security hole.

Postby Zak » Tue Feb 19, 2008 7:58 am UTC

I wouldn't ask for anything after changing the website around. I would notify them, then ask for a job, cash prize.
*waggles eyebrows*

joeframbach
Posts: 1478
Joined: Sun Nov 05, 2006 12:49 am UTC

Re: Wondering if I should take advantage of this security hole.

Postby joeframbach » Tue Feb 19, 2008 8:03 am UTC

You're missing a poll option: "tell them about the security hole. end of story."

User avatar
Kabann
Posts: 270
Joined: Sun Dec 23, 2007 8:33 am UTC
Location: 30.5254XX / -97.8344XX

Re: Wondering if I should take advantage of this security hole.

Postby Kabann » Tue Feb 19, 2008 8:11 am UTC

That's wayyyyy too selfless. I'd send their IT department notification that you found a security hole, and are offering your services as a consultant to help them fix it for a set fee. Avoids any perception of extortion, and doesn't rope you in to any contractual obligation. And if they get their dander up and refuse, or ignore you, to hell with them. Post the vulnerability to a hacker group and watch the chips fall where they may.
My goal in life is to have money, power, fame, wisdom, and love.
So far, I've got a sense of humor.
It's a good start.

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby '; DROP DATABASE;-- » Tue Feb 19, 2008 8:14 am UTC

joeframbach wrote:You're missing a poll option: "tell them about the security hole. end of story."
That's kinda the idea with the third option. I'd still tell them about it.
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

User avatar
Bruce
Posts: 447
Joined: Tue Feb 12, 2008 11:44 am UTC
Location: Melbourne

Re: Wondering if I should take advantage of this security hole.

Postby Bruce » Tue Feb 19, 2008 8:40 am UTC

I would go with telling them, and make it clear that you will make a public announcement at a given time, for the good of their customers. If it is not fixed by this time it is on them. Otherwise there is a high risk you will just be ignored.
COMFORT, n.
A state of mind produced by contemplation of a neighbor's uneasiness.

User avatar
pieaholicx
The cake is a lie!
Posts: 531
Joined: Mon Oct 22, 2007 12:51 pm UTC
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby pieaholicx » Tue Feb 19, 2008 2:06 pm UTC

Discovering a security hole isn't a problem, doing anything using the security hole can become a problem. Do not alter anything through the hole, as they can press charges against you for it. However, I would inform them that they have a hole, and since you need cash, tell them that you'll patch it for a fee, and explain that you'll go public with it either way on some date.
It's okay, I'm Chaotic Neutral. I can kill him over the loot.
Overexposure to pieaholicx may, in semi-rare cases, emancipate dental fillings, crowns, tooth enamel, and teeth.

User avatar
tendays
Posts: 957
Joined: Sat Feb 17, 2007 6:21 pm UTC
Location: HCMC

Re: Wondering if I should take advantage of this security hole.

Postby tendays » Tue Feb 19, 2008 6:42 pm UTC

IANAL.

You have two reasonable options:
1. If you feel generous, send them an ANONYMOUS email, from a freshly created email account, giving them a full description of the problem, and that's it. Don't ask for anything in exchange.
2. If you don't feel that generous, do nothing and walk away.

If you pick option 1, you may want to make it public after some point, if they don't bother fixing it, if you deem it important (i.e. if you really want the flaw to be fixed), and if you warned them you'd do that. However doing that may get you in trouble if they find out who you are.

Either asking for money and ask for a job will come out as blackmail and will put you in trouble. Even if you don't ask for anything, telling them you know how to access their database will probably put you in trouble.

If the company is anything bigger than a three-people startup, "anonymous" means either using tor or going through a wireless network not requiring authentication, or both. The bigger the company, the more motivated they'll be to go after you rather than fixing the problem.

Too often I've heard of security researchers getting in trouble, just for pointing out a flaw with the best intentions in mind.

Sorry but I seriously doubt that this can help you get money or a job. (There was an ask slashdot on precisely this topic some time ago - you may want to search for it, but people were answering essentially the same as I wrote above)
<Will> s/hate/love/
Hammer wrote:We are only mildly modly. :D
Beware of the shrolymerase!

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby '; DROP DATABASE;-- » Wed Feb 20, 2008 3:34 am UTC

Yeah, that's about what I was thinking. I had a spur-of-the-moment idea that maybe I could use this to my advantage, but there's no telling how they'd react to such a message. After thinking about it some more, asking for money is going to sound like extortion no matter how I do it, and if they did offer me a job I'd probably have to relocate, which won't work.

Yeah, I'll just tell them about it anonymously. Thanks for your input.

(And now let's see the results of the poll... ha.)
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

User avatar
Anpheus
I can't get any worse, can I?
Posts: 860
Joined: Fri Nov 16, 2007 10:38 pm UTC
Location: A privileged frame of reference.

Re: Wondering if I should take advantage of this security hole.

Postby Anpheus » Wed Feb 20, 2008 4:16 am UTC

I don't see how he's blackmailing them if he says, "I found a problem, if you employ me I'll help you fix it, otherwise I'll not disclose it and you can try to fix it yourselves."

I think a few security researchers would be in jail now if that were illegal.
Spoiler:

Code: Select all

  /###\_________/###\
  |#################|
  \#################/
   |##┌         ┐##|
   |##  (¯`v´¯)  ##|
   |##  `\ ♥ /´  ##|
   |##   `\¸/´   ##|
   |##└         ┘##|
  /#################\
  |#################|
  \###/¯¯¯¯¯¯¯¯¯\###/

User avatar
Amnesiasoft
Posts: 2573
Joined: Tue May 15, 2007 4:28 am UTC
Location: Colorado
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby Amnesiasoft » Wed Feb 20, 2008 4:37 am UTC

Anpheus wrote:I don't see how he's blackmailing them if he says, "I found a problem, if you employ me I'll help you fix it, otherwise I'll not disclose it and you can try to fix it yourselves."

I agree with that, but there's no way of telling how a company would react to that anyway. Even though the message in not threatening in any way.

User avatar
Anpheus
I can't get any worse, can I?
Posts: 860
Joined: Fri Nov 16, 2007 10:38 pm UTC
Location: A privileged frame of reference.

Re: Wondering if I should take advantage of this security hole.

Postby Anpheus » Wed Feb 20, 2008 4:49 am UTC

If the company reacts poorly tell them to piss off, if they pressure you still, tell them that you'll disclose the vulnerability to a reliable and open technology firm. Does Secunia allow submission of website vulnerabilities? Will F-Secure post an announcement regarding it or contact the company under their name?

Do not directly release it to the public though as doing this improperly could be considered an attack or somesuch, which is why I would only release it publicly through a trusted and known security site that has an interest in maintaining its credibility and may even have lawyers on retainer to deal with the numerous poorly thought out cease and desist orders, DMCA take-down orders, and other such things I imagine they receive.

The last thing you want to do is to publish it on a personal website and get into a legal spat with a company that is willing to spend more money on the lawyers necessary to bankrupt you than it would for them to fix the problem.
Spoiler:

Code: Select all

  /###\_________/###\
  |#################|
  \#################/
   |##┌         ┐##|
   |##  (¯`v´¯)  ##|
   |##  `\ ♥ /´  ##|
   |##   `\¸/´   ##|
   |##└         ┘##|
  /#################\
  |#################|
  \###/¯¯¯¯¯¯¯¯¯\###/

coppro
Posts: 117
Joined: Mon Feb 04, 2008 6:04 am UTC

Re: Wondering if I should take advantage of this security hole.

Postby coppro » Wed Feb 20, 2008 5:23 am UTC

'; DROP DATABASE;-- wrote:(I live in Alberta, BTW, if that helps any of you lawyers out there.)
Is said corporation also in Alberta? If so, you probably could get a job just by hinting that you're unemployed and giving them the solution to the problem at the same time.

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby '; DROP DATABASE;-- » Wed Feb 20, 2008 7:58 am UTC

Actually, it looks like they are. Not too far from here. Hmmmm.
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

User avatar
b.i.o
Green is the loneliest number
Posts: 2519
Joined: Fri Jul 27, 2007 4:38 pm UTC
Location: Hong Kong

Re: Wondering if I should take advantage of this security hole.

Postby b.i.o » Thu Feb 21, 2008 1:07 am UTC

coppro wrote:
'; DROP DATABASE;-- wrote:(I live in Alberta, BTW, if that helps any of you lawyers out there.)
Is said corporation also in Alberta? If so, you probably could get a job just by hinting that you're unemployed and giving them the solution to the problem at the same time.


Except that you'd have to give them your name for that, which makes it a lot easier for them to go after you with a massive group of lawyers if that's what they'd want to end up doing.

User avatar
LittleChrist
Posts: 169
Joined: Tue Oct 09, 2007 2:07 am UTC
Location: New York
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby LittleChrist » Thu Feb 21, 2008 1:59 am UTC

You could always just apply for a job, send them your resume and then schedule an interview. When asked about your qualifications, show them the hole, then present a means of solving the problem. This shows them that you are a) interested in their business b) know something about the position you applied for c) willing to fix the problem rather than exploit it.
"Be who you are and say what you feel because those who mind don't matter and those who matter don't mind."
"You know you're in love when you can't fall asleep because reality is finally better than your dreams."
~ Theodor Seuss Geisel

Masuri
Posts: 536
Joined: Sun Jul 22, 2007 8:23 pm UTC

Re: Wondering if I should take advantage of this security hole.

Postby Masuri » Thu Feb 21, 2008 2:22 am UTC

Amnesiasoft wrote:
Anpheus wrote:I don't see how he's blackmailing them if he says, "I found a problem, if you employ me I'll help you fix it, otherwise I'll not disclose it and you can try to fix it yourselves."

I agree with that, but there's no way of telling how a company would react to that anyway. Even though the message in not threatening in any way.

I am pretty sure the company I work for would react to the fullest extent of the law, even if they had to fabricate a threat. ;)

User avatar
JayDee
Posts: 3620
Joined: Sat Nov 10, 2007 3:13 am UTC
Location: Most livable city in the world.
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby JayDee » Thu Feb 21, 2008 2:25 am UTC

'; DROP DATABASE;-- wrote:(I verified I was able to alter records, but I changed them back afterward)
Given that you've done this, I'd be vary wary of contacting the company any way bar anonymously.
The Mighty Thesaurus wrote:I believe that everything can and must be joked about.
Hawknc wrote:I like to think that he hasn't left, he's just finally completed his foe list.

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby '; DROP DATABASE;-- » Thu Feb 21, 2008 4:44 am UTC

Silver2Falcon wrote:
coppro wrote:
'; DROP DATABASE;-- wrote:(I live in Alberta, BTW, if that helps any of you lawyers out there.)
Is said corporation also in Alberta? If so, you probably could get a job just by hinting that you're unemployed and giving them the solution to the problem at the same time.


Except that you'd have to give them your name for that, which makes it a lot easier for them to go after you with a massive group of lawyers if that's what they'd want to end up doing.
Only if they replied positively to the message.
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

User avatar
b.i.o
Green is the loneliest number
Posts: 2519
Joined: Fri Jul 27, 2007 4:38 pm UTC
Location: Hong Kong

Re: Wondering if I should take advantage of this security hole.

Postby b.i.o » Thu Feb 21, 2008 5:41 am UTC

Even so, I'd be careful.

User avatar
DJorgensen
Posts: 1503
Joined: Tue Feb 19, 2008 9:24 pm UTC
Location: A small reality, fractured from this one.
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby DJorgensen » Thu Feb 21, 2008 6:21 pm UTC

I do IT for a web development company in Edmonton and if someone were to send me info about a security hole in our systems, I would ultimately be glad someone caught it and didn't rain chaos and destruction down on the site. If they were interested in a job and could prove they had something we would need, I am sure the development team would consider hiring them (if they needed extra man power).

Ultimately telling them about the hole is the honest thing to do, but it can't hurt to ask if they are hiring either if you are interested.
trap: a device in which something (usually an animal) can be caught and penned.

User avatar
Rippy
Posts: 2101
Joined: Sun Jul 22, 2007 11:27 pm UTC
Location: Ontario, Can o' Duh

Re: Wondering if I should take advantage of this security hole.

Postby Rippy » Tue Feb 26, 2008 4:10 am UTC

I would contact them saying you know of a giant security hole in their site, and for [insert small fee] you can offer your services and help them fix it. If you phrase it like you just stumbled upon the vulnerability and know how to fix it, I doubt they would assume you'd tell anyone else. And then you could also mention how, with their consent, you can prove to them how huge a problem it is. In case they think you're lying.

Basically, it's all in how you write it. If you're saying "give me money/a job, or this vulnerability won't get fixed", they'll react accordingly. If you say it like you're offering your services, they might be more interested. Or not. But if it's the latter case, at least you don't end up in court for extortion.

User avatar
Enneract
Posts: 52
Joined: Sun Jan 20, 2008 11:43 am UTC

Re: Wondering if I should take advantage of this security hole.

Postby Enneract » Sun Mar 09, 2008 3:55 am UTC

I'm curious to know how this played out~

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby '; DROP DATABASE;-- » Sun Mar 09, 2008 4:22 am UTC

I'll tell you when I get around to lugging my laptop out to a public AP to do it.
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

coppro
Posts: 117
Joined: Mon Feb 04, 2008 6:04 am UTC

Re: Wondering if I should take advantage of this security hole.

Postby coppro » Sun Mar 09, 2008 5:42 am UTC

'; DROP DATABASE;-- wrote:I'll tell you when I get around to lugging my laptop out to a public AP to do it.
Would an anonymizer like http://www.stupidcensorship.com not do it?

User avatar
kriel
Posts: 923
Joined: Thu Feb 07, 2008 2:58 pm UTC
Location: Somewhere I'm not.
Contact:

Re: Wondering if I should take advantage of this security hole.

Postby kriel » Sun Mar 09, 2008 2:58 pm UTC

My two cents: Don't use YOUR laptop if you can get away with it.

Find a public cafe that dosen't keep logs of who uses their computer. Cyber cafe, library, nearby school (that you don't attend, with an open computer policy) and do it there. Then go through an anonymizer (And Tor if you can swing it, but might be hard on a computer you don't own). Then, after doing said informing, scour that computer best you can. I'd suggest CCleaner Portable, with the multiple pass overwrite turned on, but Someone else may be able to suggest a better scourer.

I may just be being paranoid (and I can see how a public AP would be a very nice anonymizer), however it seems like a bad idea to use your equipment anywhere in the communication between you and who you want to be anonymous with.

User avatar
Bruce
Posts: 447
Joined: Tue Feb 12, 2008 11:44 am UTC
Location: Melbourne

Re: Wondering if I should take advantage of this security hole.

Postby Bruce » Mon Mar 10, 2008 4:15 am UTC

I would just use ssh and do it form home *shrug*.
COMFORT, n.
A state of mind produced by contemplation of a neighbor's uneasiness.

User avatar
iamfree
Posts: 121
Joined: Fri Feb 29, 2008 5:11 pm UTC
Location: Virginia

Re: Wondering if I should take advantage of this security hole.

Postby iamfree » Mon Mar 10, 2008 3:49 pm UTC

teh problem with telling them you know and not telling them what it is or how to fix it or extorting them in anyway is that they will know who you are and if they don't hire you or get you to fix it and someone else finds the hole and exploits it who do you think they are going to turn to and point massive lawyer fingers at??
GACAACGCACGCAACGCGCCCCGGACCACCUAA

just let It happen


Return to “The Help Desk”

Who is online

Users browsing this forum: No registered users and 3 guests