Is It Illegal To Disclose a Web Vulnerability?

Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

Discover, or try to discover?

[gstoddart]

Is this about discovering a vulerability, or trying to discover a vulnerability?

If I click a link, and something breaks, and I've 'discovered' a problem, I've probably not done anything. It just broke, and I was the one who was there.

If I try to find a problem, and do (even if I don't exploit it), then I might have been doing something I shouldn't.

A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.

As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.

Just my 2 cents, anyway.

Re:Discover, or try to discover?

[gstoddart]

The problem I find with that, is that it leaves room for somebody who was purposely trying to find security flaws to go about and say, "But I found it on accident!"

Well, I guess, like any legal matter, one hopes there is a threshold of evidence to indicate one way or the other, and that people are looking at it on a case-by-case basis.

If I bump into an owie on someone's site, send them a friendly "hey, did you know this", and the logs don't indicate that I spent a few hours entering in junk, then, maybe, I need the benefit of the doubt and I was a nice guy who told them of something unusual as soon as it happened.

If I spent hours putting in malformed urls, experimenting with SQL injection, XSS stuff, and the logs show it, then maybe you need to look at me a little closer as someone who was specifically trying to breach their security.

Like any such thing, I would hope it's not a truly black or white distinction -- I would hate to think that accidentally discovering a bug on a web page, which was a vulnerability, was a crime. That would mean that you were guilty of comitting a crime, when in fact, you found a bug in someone's software. And *that* is scary indeed!!

You do raise a good point; but sometimes it's better that the law use our nice little presumption of innocence and we miss people, as opposed to a presumption of guilt, and we arrest innocent people.

Cheers

Re:Discover, or try to discover?

[ACMENEWSLLC]

This is a gray area.

One of my network magazines that I get at no charge by filling out survey information had expired. I got a phone call and the person on the line asked me to renew. She provided a generic website address, and then a unique ID.

The problem was that the Unique ID was not random. It was something like 123456. When I put this in, it wasn't just a questioner. It had my personal information. I could put in 123457 or 123455 and bring up the personal information of someone else.

It is a web vulnerability, imo, caused by improper security on my personal data.

This doesn't match up with your simile of picking a lock.

I did report this, and the company did change their website. I reported it on the phone as I was talking to the person, as well as by e-mail.

Re:Discover, or try to discover?

[zero-one]

A few years ago, I applied for a job at a well known company using their online application site. When I finished filling in the form, the site redirected to a page with a URL like https://www.example.com/viewapplication.asp?applic antid=12345 that displayed all of my details.

I wondered what would happen if I changed the number in the URL and found that the site would happily show me the details for all the other applicants (including quite sensitive information).

Was changing the URL "trying to discover a vulnerability" or "discovering a vulnerability"?
What if the values had been sent using a HTTP POST (so I couldn't see them or edit them by just changing a URL)? What if they had been lightly encrypted or included a check-digit?

Re:Discover, or try to discover?

[DamnStupidElf]

As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.

If I store my stuff in a storage locker and have to use a lock the storage company provides, can I test its security?

If I live in an apartment building, can I check the lock on my door to make sure it's not easy to pick?

In reality, all locks are pretty easy to pick. Locksmiths and law enforcement have tools that can open most locks within minutes or seconds, and anyone with an interest can buy or fashion their own lockpicks relatively easily. On the Internet, security is supposed to mean more than just an easily defeated mechanical lock because the attack surface is world-wide and difficult to monitor. You can't hire cheap security guards to keep hackers out of websites like you can to protect locked doors. Computer and Internet security rely on vigilant eyes finding vulnerabilities in the system and fixing them, and since most companies don't seem to take security very seriously, it makes sense that people should be able to gauge the security of any system they are going to store information in, or in the general case just inspect any Internet host they want for vulnerabilities. As a shared medium, every host connected to the Internet can have a large impact in terms of DoS, worm, or spam attacks. If anything, the problem is that companies and individuals connect their systems to the Internet without realizing this, and want laws to protect them from things that the law can do essentially nothing about.

The way I see it, if a host on the Internet has an open known port (it shows up in /etc/services) that doesn't require authentication (unless one is authorized), it's perfectly legal and ethical to connect to the port to see what services it actually offers, and the terms of service if any. HTTP(S) is such a protocol, and so long as httpd serves pages without a 403 response and robots.txt doesn't exclude certain files to all agents, it's perfectly legal and ethical to browse the entire site, including submitting POSTs and GETs to apparent CGIs. Attempting to discover vulnerabilities is really just a guess at what the host administrator wants the system to do, and using common sense. In general, if a vulnerability can be tested against a honeypot or other test system, that's the ethical way to do it. If that's not possible, preliminary testing should lead to a vulnerability report to the administrator of the site. Using the vulnerability to access other people's data or modify the system is a bad idea, and possibly illegal, even if just as a demonstration. There are usually ways to demonstrate bugs without exposing anything but the bug itself.

The Internet requires smart people looking for vulnerabilities and reporting them in order to function securely. Most companies do not have the money to pay smart people to do nothing but find vulnerabilities, which is unfortunate. The fact that people do it for free or for recognition should be recognized as the useful service that it is. Black hat crackers will always be interested in finding vulnerabilities and exploiting them in secret, or selling them to someone who can exploit them. It's exactly like an immune system that must be trained by infections in order to combat them in the future. Without knowing what attacks look like and how they work, there's no way to defend against them, short of rewriting all the software and proving the Internet and computer systems are perfectly secure by design.

What's the problem?

[gravesb]

What's the problem with sending info to a webmaster? And what's the point of doing anything else? If you post it publicly, you've created a race condition between script kiddies and the site admin, and should be punished. If you send it to the webmaster, you are doing a service, and shouldn't be punished. As long as you don't exploit it, you should be ok.

It's been ok for me

[nicpottier]

A few years ago I was renewing my car tabs on the WA state's site and they had a box for 'donations to DOT' or somesuch. For kicks I tried putting in a negative value, and sure enough it reflected the total for my tabs as less. I went ahead and submitted things with a dollar taken off the value, just to see if it would actually go through. Sure enough, a week later I received my tabs, and the mathematically correct but embarrassing negative donation on my receipt.

I ended up calling them and letting them know about the bug. They were nice about it, and the next year at least it was fixed.

-Nic

Re:Test my house for security vulnerabilities

[Impy+the+Impiuos+Imp]

It's not illegal to stand on the corner and say, "That house over there is selling cocaine for $10."

It is illegal to stand on the corner and say, "That house over there is selling cocaine for $10." when you are hired by the cocaine house.

So are these people saying, "Product X sux because of this vulnerabily xyz here, exploitable via abc", and that's that, or are they saying, "Product X sux because of blah blah blah, and company X, could you pay me $10 or I'll release the info?"

The long term influence

[houghi]

I once found childporn and told both the hostmaster and the police. After several days nothing had been done, so I went to the press. Right when it came out, the site went down. Good for me?

he police was after me because of:
1) Falcifying my identity, because I gave a fake adress on gmx.net
2) spreading of chldporn, because I replied to a Usenetmessage with the URL still in it
3) Obstruction of a police investigation. Because there was an investigation going on.

I never got a reply from the webmaster, because he apparently was not allowed to do anything, nor remove the site, because the police was investigating it already.
I never got a reply from the police, because their mailserver was down
I was able to explain to them what I did.
I had a very understanding boss, which was the one where I posted from and whom they told they needed the person posting because of a child-porn related crime investigation. At other places I might have lost my job.

It goes without saying that that sighting of childporn must have been a fluke. I have not ever seen any childporn or any other illegal activity on the Internet.

To sum it up: if diclosing web vulnerabilities is outlawed, only outlaws will disclose web vulnerabilities. Oh , and they don't.

It's simple

[zialien]

If you don't own the website or you don't have the owners permission then it is illegal for you to attempt to access the web server except if you are "using it properly" (eg. you actually surf the web site via the links). So if you have found the exploit without permission then you have already committed a crime. Then telling people about it is 1. stupid, 2. gives people evidence to have you charged. As to whether it is illegal to disclose the vulnerability is anybodies guess. I would think that it wouldn't be illegal but i still would not do it.

Re:Test my house for security vulnerabilities

[green1]

I actually did find a real world security vulnerability of that form... Elevator in the building I worked in was prone to malfunction. the bottom floor of the building was a pub that was not open at 8 am when I went to work. normally visitors would be kept out of said pub by the fact that you would need a key for the elevator to go to that floor. one day I got on the elevator, pressed the button for the floor my office was on, when the doors opened I stepped out without paying much attention and found myself alone in the middle of the closed pub...

Now, is it my fault I ended up there? I don't think so... would the pub want to know they have this problem so they can install an additional security door/gate, probably. Was what I did illegal... maybe, I did tresspass on their property, though entirely by accident, had I been paying more attention I would not have exited the elevator, but I wasn't, so I stood in the middle of the pub long enough for the next elevator car to arrive.

would I get in trouble for reporting it? maybe... hard to say, people get insanely paranoid about security, and wether you are talking electronic security, or real world physical security, in most cases people would rather blame the person who found the problem than acknowledge the problem exists in the first place...

Not informing helps criminals. A LOT

[DerangedAlchemist]

Bike U-locks had a defect and could be picked easily with a ball point pen. Informing people helps everyone. Informing no one helps bike thieves because they are the kind of people who find out these things and inform each other about them.

Why is this difficult to understand?

As for all the "doing something you shouldn't" bullshit, it's innocent until proven guilty. When did people become so terrified of freedom.

Prosecuted In England for This..

[madsheep]

This will be my second post in here, something I normally don't do but I just recalled something from not so long ago that was actually posted on Slashdot. Do we all forget so quickly? Please read this:

http://it.slashdot.org/article.pl?sid=05/10/07/153 2241&tid=172/

"Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question."

This is exactly what this article is discussing. Not only should you be held liable in some instances for "looking for vulnerabilities", you should be prosecuted. Now the above case is surely an extreme. Just reading the article I would be completely against prosecution in such an instance. Then again I wasn't part of the team that prosecuted or reported him. He might have tried to do a little more than just check a single ../../. However, he shouldn't have been doing that either. Tough one there.. but you've been warned!

Car Lights & Common Courtesy

[Dareth]

How many times have you seen a car with their lights on in a parking lot with nobody in the car?

In the old days, someone would check the doors to see if they were unlocked and turn off the lights for the person to keep their battery from running down.

Would you touch someone else's car today if the lights were on?