Is It Illegal To Disclose a Web Vulnerability?

Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

Re:It ought to be

[LiquidCoooled]

It depends if your daughters bedroom is on a shopfront on Rodeo drive (or wherever).

Expecting privacy on a publicly advertised service is different to people using zoom lenses to peer through the fence of your gated community.

Discover, or try to discover?

[gstoddart]

Is this about discovering a vulerability, or trying to discover a vulnerability?

If I click a link, and something breaks, and I've 'discovered' a problem, I've probably not done anything. It just broke, and I was the one who was there.

If I try to find a problem, and do (even if I don't exploit it), then I might have been doing something I shouldn't.

A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.

As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.

Just my 2 cents, anyway.

Re:Discover, or try to discover?

[gstoddart]

The problem I find with that, is that it leaves room for somebody who was purposely trying to find security flaws to go about and say, "But I found it on accident!"

Well, I guess, like any legal matter, one hopes there is a threshold of evidence to indicate one way or the other, and that people are looking at it on a case-by-case basis.

If I bump into an owie on someone's site, send them a friendly "hey, did you know this", and the logs don't indicate that I spent a few hours entering in junk, then, maybe, I need the benefit of the doubt and I was a nice guy who told them of something unusual as soon as it happened.

If I spent hours putting in malformed urls, experimenting with SQL injection, XSS stuff, and the logs show it, then maybe you need to look at me a little closer as someone who was specifically trying to breach their security.

Like any such thing, I would hope it's not a truly black or white distinction -- I would hate to think that accidentally discovering a bug on a web page, which was a vulnerability, was a crime. That would mean that you were guilty of comitting a crime, when in fact, you found a bug in someone's software. And *that* is scary indeed!!

You do raise a good point; but sometimes it's better that the law use our nice little presumption of innocence and we miss people, as opposed to a presumption of guilt, and we arrest innocent people.

Cheers

Re:Discover, or try to discover?

[ACMENEWSLLC]

This is a gray area.

One of my network magazines that I get at no charge by filling out survey information had expired. I got a phone call and the person on the line asked me to renew. She provided a generic website address, and then a unique ID.

The problem was that the Unique ID was not random. It was something like 123456. When I put this in, it wasn't just a questioner. It had my personal information. I could put in 123457 or 123455 and bring up the personal information of someone else.

It is a web vulnerability, imo, caused by improper security on my personal data.

This doesn't match up with your simile of picking a lock.

I did report this, and the company did change their website. I reported it on the phone as I was talking to the person, as well as by e-mail.

Re:Discover, or try to discover?

[99BottlesOfBeerInMyF]

A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.

I don't buy that analogy. Breaking and entering is a crime. Theft is a crime. Exploiting computer vulnerabilities is a crime. I'm not sure finding computer vulnerabilities is or should be a crime. I could just as easily use the analogy, "looking at the windows of houses to see if they are open or unlocked is not a crime, but climbing through a window is."

I think laws that rely upon somehow knowing the intent of the person performing an act are pretty poor laws. If I go tell you your locks are really old and can be opened with a plastic fork because I noticed it while walking by, and you happen to run a store I do business with and hence have my CC# on file, that sure shouldn't be a crime. If I write a letter to the editor of the newspaper saying the same, it should not be a crime. If I notice on your Web site the same level of e-security, I don't see how it is qualitatively different.

Re:Discover, or try to discover?

[99BottlesOfBeerInMyF]

If you then went to a known burglar with the information, well, you're no longer just doing something nice and innocent now, are you??

Yes, but no one is claiming you should be able to find vulnerabilities and give or sell them to blackhats, merely make them public or inform the site operator without worrying about being sued.

or the second half ... WTF does having, or not having, your credit card # on file apply to this?? It seems a bit spurious to the conversation at hand, and I'll treat it as such.

No it isn't. If they have your credit card on file (as many e-businesses might) then you have a business relationship with them and a vested interest in their security. It is perfectly legal and sometimes industry practice to hire private investigators to look into the security of current or proposed business partners.

I don't think you've idly done nothing.

You've done something, but nothing illegal.

You've made available to people the means to commit and illegal act. The fact that it was just there for anyone to see (or you spent three hours trying to find it) doesn't mean you wouldn't have anything to do with them getting robbed.

So what if the local bank, where the whole town keeps their money, tends to leave the back door propped open and the safe unlocked? Should it be illegal for me to tell the paper or the paper to write an article letting everyone know they should take their money out? Should you have to be concerned about being sued if you write the bank manager and let him know what is going on?

I realize people figure that white hats should scream really loud so everyone knows the vulerability, because the black hats wouldn't. But, telling the black hats how to do it, you no longer get to say you're better than they are. In fact, you're probably worse, because you were the one casing the joint, as it were.

Not at all. Whitehats do not profit from illegal actions and are aiming to improve overall security. Full disclosure is not always the best way to go about improving security, but sometimes it is. Why you think only in terms of full disclosure, however, is a mystery to me. Even the summary specifically mentions people being sued for just telling the Web service provider that the service has vulnerabilities in it.

You don't have an obligation to ensure that everyone in the world knows how to open every unsecured lock.

No, but sometimes telling the public how to open a particular lock is the best way to improve security. If Diebold starts selling a new combination bike lock, and I discover 1.2.3.4 always opens it, and I know at least one gang of thieves is already looking for these locks and stealing bikes via this method... I should 100% have no fear that I will suffer legal repercussions if I tell the support guys at Diebold. If Diebold refuses to acknowledge the problem I should likewise have no fear that my exercising my freedom of expression and telling the local newspaper will result in my being prosecuted for some crime. The same goes for software and services on computers.

Re:Discover, or try to discover?

[Pikoro]

I ran across something like this once. I was doing a Google search for some data and caught a link to a NASA website.

Clicking the link took me to a page that had links to pdf reports, etc. Clicking on one of those took me to a standard apache index page with a list of the contents of the directory.

After clicking around in there, the source files for a multi-thousand (close to $10,000) cold fusion enterprise CMS system were discovered. Clicking on one of the .cfm files revealed the source, the code was not running. Very obviously, the web server was not configured correctly. After looking around some more, there was a database backup directory with db dumps for the CMS system dating back a couple of years.

Opening one of those files revealed usernames and passwords (in plain text mind you) for many thousands of nasa employees, scientists, politicians, etc... that had accounts on the CMS.

Another file contained the software license and key to run said CMS software in it's most expensive form, the Enterprise Ultra edition with unlimited domains and users.

I sent an email to the server administrator that was listed as being the registered user of the CMS stating that their code, license, and database were out in the open and only *one click* away from a google search. The query I used was basic, simply something like "weather Data" although I can't remember the exact term now. No "Google hacking" involved, and google only returned 4 results. Theirs being #1.

I never received a reply from NASA, and after about 6 months, the page was not fixed, but the CMS and database backups were finally removed.

Sometimes, even disclosing a problem to a very public website doesn't generate a response.

Anonymizers?

[tfinniga]

So, this might not be relevant, but once I reported a cross-site scripting to a website by using a web anonymizer to create a hotmail account, sending exactly one message, and then never using the email account again.

Anonymizer tools have improved since then, especially for combating censorship. Would you be able to use TOR or something similar to report vulnerabilities without exposing your identity?

Re:Test my house for security vulnerabilities

[fireboy1919]

Not really a good comparison since your house is private and websites are essentially open to all comers.

It's more like checking the locks on the backside of a Walmart. Suspicious, but not illegal, and not nearly as unethical.

Heck, you may actually have a legitimate reason to be back there - such as offloading goods from a truck.

The same can be said for security vulnerabilities in websites. You can easily stumble across them when you're not even looking in places that you're supposed to be.

What's the problem?

[gravesb]

What's the problem with sending info to a webmaster? And what's the point of doing anything else? If you post it publicly, you've created a race condition between script kiddies and the site admin, and should be punished. If you send it to the webmaster, you are doing a service, and shouldn't be punished. As long as you don't exploit it, you should be ok.

Re:What's the problem?

[fractalus]

Simple: sometimes such information gets lost, or doesn't get acted on, and the bug persists. That bug could be exposing thousands (or hundreds of thousands) of users of that site to risks they're not aware of. If one person found it, another surely can, so it's a reasonable assumption that someone else other than the site owner could know about the bug and be exploiting it for personal gain. At that point, being aware of the bug but not informing the users is allowing them to be exposed to unnecessary risk. Businesses are often reluctant or slow to fix problems because they assume nobody knows about them or they're costly to fix (just like auto companies hate to have to recall cars to fix problems). Sometimes, the only way to get the problem fixed is to announce it publicly and give the company a bit of a black eye.

Re:What's the problem?

[Jussi+K.+Kojootti]

That may be a race, but a race condition is something else...

vulnerability disclosure: how much is too much?

[rabblerouzer]

Some interesting comments from Bruce Schneier and Marcus Ranum (and Microsoft too) on the debate. http://www2.csoonline.com/exclusives/column.html?C ID=28088

Re:Test my house for security vulnerabilities

[russ1337]

Would you say anything if you were in an airport and noticed a door unlocked and ajar leading from the public area to the tarmac around the aircraft?

Re:Moot issue?

[wizzard2k]

You could report it through a 3rd party like The Zero Day Initiative, a division of 3com's Tipping Point intrusion prevention service.

That gives small time security experts a platform of anonymity to disclose vulnerabilities to anyone (not just 3com's customers) while retaining the possibility of a reward.

Re:It ought to be

[jimlintott]

It would be perfectly legal to stand on the street and stare at my naked daughter through her bedroom window.

She has drapes for this.

Re:It ought to be

Two questions:

Is she cute?
Does she use her drapes?

It's been ok for me

[nicpottier]

A few years ago I was renewing my car tabs on the WA state's site and they had a box for 'donations to DOT' or somesuch. For kicks I tried putting in a negative value, and sure enough it reflected the total for my tabs as less. I went ahead and submitted things with a dollar taken off the value, just to see if it would actually go through. Sure enough, a week later I received my tabs, and the mathematically correct but embarrassing negative donation on my receipt.

I ended up calling them and letting them know about the bug. They were nice about it, and the next year at least it was fixed.

-Nic

Re:So is it illegal too...

[Kadin2048]

It's not, except that what gets people in trouble, is when they try to take credit for a vulnerability they've found in a production website.

I doubt that you'd get in trouble -- and how could you? -- if you submitted the vulnerability, or even publicized it, anonymously. There are lots of ways to do this; Mixmaster comes to mind, and is practically invulnerable to tracing, particularly when your potential adversary isn't expecting an anonymous communication to come in.

If you found a problem, realize that no good is ever going to come to you because of it, and don't expect to ever be rewarded or thanked. Once you've acknowledged those things, there's no reason to attach your name to it, when you let them know.

It's when you try to have your cake and eat it too -- point out someone else's problem while getting rewarded for it -- that the problems really begin.

Look who will argue, write and advocate the law.

[Protonk]

this is an issue that simply must not be decided by the people whom it has been entrusted to. In this case, the vested interests that will lobby congress, pay for legal teams, and write friend of the court briefs are not the whisleblowers and the security researchers. There are HUGE industries where the economic incentive is to ignore problems, rely on obscurity for security, and prosecute those who would expose vulnerabilities.

Each time an exploit comes out, the pattern is the same. the company doesn't announce it, anti-virus makers are either paid off (as in 'approved' spyware and/or rootkits) or not kept informed, and once the story breaks, the public relations machine starts. The researcher is vilified as a hacker, the problem is denied or minimized, and the prospect of a patch is left moot because this would require accepting that a huge problem exists. Most of us scream that this is ridiculous, companies should tell everyone when an exploit shows up, and patch it as soon as possible. More to the point, they should expose their source code to scrutiny in order to better provide services to their customers.

Are you sitting down? good. They won't and they don't care. The first rule in the PR handbook is to deny and put off realization. If the big front is that there isn't a problem, or that a crack of a voting machine can only be done in a lab, and months down the road, the company quietly sues the researcher or releases a patch, they win. People have a limited attention span and fatigue quickly in the face of fear and hysteria. As long as your company's admission of guilt comes well after the original problem, or not at all, people are happy.

With this in mind, let's look at the law. thankfully, whistleblowers have some protection, and some internal voices about code might not be silenced, especially if the review takes place within the judicial system, and not through a new law. Of course, corporate secrecy, as in the case of Apple and HP, is pretty extreme, and most employees wouldn't risk the civil consequences of voicing a problem that doesn't rise to the level of a public safety hazard.

Outside researchers are in more and more trouble, and this really only leads to problems for the customer base as a whole. We rely on sites like MOAB to shame companies into action. We also rely on OSS competition in order to make products like IE better--Firefox gives an economic incentive to Microsoft to improve their product, otherwise, security development would have languished.

Very few analogues exist in the places where this is critically important: commercial and banking software. CITIbank suffers a classbreak and doesn't bother informing their customers. Security conscious customers can voice their discontent and move to another bank, but we have to trust that the new bank is as averse to security breaches as we are. For the rest of the millions of customers, security will not improve. Since identity theft costs are largely borne by the customers, the banks don't care. because the banks don't care, it is much easier, and better in their eyes, to make publishing voulnerabilities like this one illegal and trust that their customers will never be the wiser.

check out this article:
[PDF] Why information security is hard

Re:It ought to be

[rootofevil]

in most states it would be illegal for her to stand in view of someone in the street naked. what does that say about website vulnerabilities?

If you found an unlocked door at an airport

[Beryllium+Sphere(tm)]

Funny you should mention that. Just this year, a woman looking for her wallet pushed open a door to a parked airplane at Newark. An alarm went off. Nobody paid any attention. She was alone on the airplane for several minutes checking around the seat for her wallet.

Re:It may not be illegal...

[Evardsson]

Hmmm, to answer point by point:

• No one likes the bearer of bad news - not the website owner, not the vendor who sold the software, not the consultant who coded the website. They have lawyers; their interest is in making money, not necessarily in creating secure software. Keep this in mind. If they can find a cause for libel, they will. If they can deflect blame (stupid hackers are at it again!), they will.
  As a website owner, and admin of several sites, yes I do want to know and while no one likes bad news, I would rather hear it from a "good samaritan" than find out after my site was hacked.
• Why would you expose yourself to potential legal problems, especially considering that you aren't getting paid for your efforts
  Because I would truly appreciate it if others would do the same kind service.
• If they were truly concerned about security, they would have hired an audit firm.
  Not everyone can afford an audit firm. Also, there are things that security auditors miss as well. Any security "expert" who tries to tell you they will find every possible edge-case scenario is a liar and not to be trusted any more than the programmer that claims his or her software is 100% bug-free.
• Getting hacked is perhaps the best teaching experience regarding security. Let another hacker expose their vulnerability in a way they can't deny. Then they will take security seriously.
  Yes, getting hacked is a valuable learning tool, but also an incredibly expensive one.
• Do the security industry a favor: why would anyone hire a security specialist when good samaritans on the internet (aka whitehats) will audit their website for free? Don't undermine your fellow workers.
  Do you really think that anonymous tips could ever shut down the digital security industry? This is a straw-man argument and not worth any more time.
• No one has ever been brought to trial or sued for failure to disclose a security vulnerability. You stand nothing to lose by quietly taking your business elsewhere; let the company figure out that the public wants secure web sites.
  Okay, so doing nothing means that you won't get into trouble. And yes, if a site has vulnerabilities that are not remedied you are probably right to take your business elsewhere. But I see this as akin to driving past a burning building and not calling the fire department. "Let it burn, it's not my problem." Did you stop to think about all the users of the site who don't know about the security issues? Perhaps your dear aunt Ethel whose entire stock portfolio is about to be stolen by the hackers who come after you and discover the same flaw.

In the end it comes down to "What is the right thing to do?" If you really don't care then it's a non-issue, but if you do care about trying to make the net a better place an anonymous tip is at least the decent thing to do, at least until someone figures out how to produce perfect software and websites.

Re:So is it illegal too...

[Lesrahpem]

I see a big difference.

If the hardware store gets broken into it mainly effects the owner(s) of the store, the people who work there, and not many other people. If a site like yahoo (the mail aspect of it), a banking site, or paypal is broken into and exploited then it effects every single person who uses the site in a very negative way.

I don't think publically announcing a vulnerability in a specific public service or facility is very responsible. At the same time, many businesses don't do anything to fix the problem if only one person tells them about it. The public releases we commonly see are sometimes necessary because without the pressure of the public eye the business won't correct the problems in it's service.

I've done things similar to this on a few occasions. I found a vulnerability in Surgemail, an all-in-one mail server software for Linux, which allowed any remote user to read any mail to the root account, and to send mail as root. I emailed them about it several times and received no reply for over six months. I finally released the info on it, and they fixed it two weeks later. I did something similar with an online service schools in my area offer which allows anyone to see the grades and personal info (SS#, home address, etc) of students in the school through a SQL injection. I contacted several schools about the issue as well as the company they had contracted to write the software for them. It's been 2 years and they still haven't fixed it.