Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is It Illegal To Disclose a Web Vulnerability?

Posted by kdawson on from the responsible-schresponsible dept.

Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

5 of 198 comments (clear)

  1. Discover, or try to discover? by gstoddart · · Score: 5, Interesting

    Is this about discovering a vulerability, or trying to discover a vulnerability?

    If I click a link, and something breaks, and I've 'discovered' a problem, I've probably not done anything. It just broke, and I was the one who was there.

    If I try to find a problem, and do (even if I don't exploit it), then I might have been doing something I shouldn't.

    A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.

    As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.

    Just my 2 cents, anyway.

    --
    Lost at C:>. Found at C.
    1. Re:Discover, or try to discover? by gstoddart · · Score: 3, Interesting
      The problem I find with that, is that it leaves room for somebody who was purposely trying to find security flaws to go about and say, "But I found it on accident!"

      Well, I guess, like any legal matter, one hopes there is a threshold of evidence to indicate one way or the other, and that people are looking at it on a case-by-case basis.

      If I bump into an owie on someone's site, send them a friendly "hey, did you know this", and the logs don't indicate that I spent a few hours entering in junk, then, maybe, I need the benefit of the doubt and I was a nice guy who told them of something unusual as soon as it happened.

      If I spent hours putting in malformed urls, experimenting with SQL injection, XSS stuff, and the logs show it, then maybe you need to look at me a little closer as someone who was specifically trying to breach their security.

      Like any such thing, I would hope it's not a truly black or white distinction -- I would hate to think that accidentally discovering a bug on a web page, which was a vulnerability, was a crime. That would mean that you were guilty of comitting a crime, when in fact, you found a bug in someone's software. And *that* is scary indeed!!

      You do raise a good point; but sometimes it's better that the law use our nice little presumption of innocence and we miss people, as opposed to a presumption of guilt, and we arrest innocent people.

      Cheers
      --
      Lost at C:>. Found at C.
    2. Re:Discover, or try to discover? by ACMENEWSLLC · · Score: 3, Interesting

      This is a gray area.

      One of my network magazines that I get at no charge by filling out survey information had expired. I got a phone call and the person on the line asked me to renew. She provided a generic website address, and then a unique ID.

      The problem was that the Unique ID was not random. It was something like 123456. When I put this in, it wasn't just a questioner. It had my personal information. I could put in 123457 or 123455 and bring up the personal information of someone else.

      It is a web vulnerability, imo, caused by improper security on my personal data.

      This doesn't match up with your simile of picking a lock.

      I did report this, and the company did change their website. I reported it on the phone as I was talking to the person, as well as by e-mail.

  2. What's the problem? by gravesb · · Score: 3, Interesting

    What's the problem with sending info to a webmaster? And what's the point of doing anything else? If you post it publicly, you've created a race condition between script kiddies and the site admin, and should be punished. If you send it to the webmaster, you are doing a service, and shouldn't be punished. As long as you don't exploit it, you should be ok.

    --
    http://bgcommonsense.blogspot.com
  3. It's been ok for me by nicpottier · · Score: 4, Interesting


    A few years ago I was renewing my car tabs on the WA state's site and they had a box for 'donations to DOT' or somesuch. For kicks I tried putting in a negative value, and sure enough it reflected the total for my tabs as less. I went ahead and submitted things with a dollar taken off the value, just to see if it would actually go through. Sure enough, a week later I received my tabs, and the mathematically correct but embarrassing negative donation on my receipt.

    I ended up calling them and letting them know about the bug. They were nice about it, and the next year at least it was fixed.

    -Nic