Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Threatened With Vulnerability Repair Bill

Posted by Soulskill on from the biting-a-helping-hand dept.

mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."

14 of 231 comments (clear)

  1. Lesson learned by nurb432 · · Score: 5, Insightful

    If you find a vulnerability, don't tell the people at risk, sell it or use it.

    Either that or move to a less stupid country.

    --
    ---- Booth was a patriot ----
    1. Re:Lesson learned by Anonymous Coward · · Score: 2, Insightful

      More like you need to extend whistleblower protection for security researchers disclosing vulnerabilities. However, the guy basically admitted to unlawful access of their system in order to prove the vulnerability existed, which in ethical circles is a big no-no.

    2. Re:Lesson learned by LifesABeach · · Score: 5, Insightful

      Well, lets just backup here a bit. If my neighbor discovers that part of my fence is broken, and walks onto my property to tell me so:
      1. Is the neighbor guilty of Trespassing?
      2. Is the neighbor guilty of causing the fence to be broken?
      3. Is the neighbor guilty of being the cause of the broken fence?
      4. Is the neighbor guilty of Negligence because the fence is broken?
      5. Is the neighbor guilty of Indirect Negligence because the fence is broken?
      6. Is the neighbor guilty of not maintaining the fence?
      7. Is the neighbor guilty of any damage because the fence is broken?

      Some Lawyer in their first year of business is going to carve up a Hedge Fund like a Christmas Turkey. Cheers!

    3. Re:Lesson learned by arth1 · · Score: 3, Insightful

      The problem was that your neighbor, in order to discover whether your fence was broken, tried 600 entry points.

      No, I'm not defending the Australian company and its lawyers, but pen-testing without permission is black hat even if done under responsible disclosure.
      It's one thing to pen-test a device you own, it's a whole different kettle of fish to do the same to a random company.

      If I were Judge Dredd in this case, I'd award the company a 1 cent restitution along with a hefty fine for wasting the court's time, then put the researcher in jail for three months for the crime of stupidity.

    4. Re:Lesson learned by bratwiz · · Score: 2, Insightful

      What you mean is, if the neighbor stops by to tell you your fence is broken and hands you your TV set as proof he was able to access your stuff.

      I'd say that's a bit different than all the things you suggested.

      How would you feel about it?

    5. Re:Lesson learned by interkin3tic · · Score: 3, Insightful

      Either that or move to a less stupid country.

      "Shoot the messenger" transcends national boundaries. You really want to find a less stupid PLANET to live on.

    6. Re:Lesson learned by HappyPsycho · · Score: 3, Insightful

      He used the appropriate amount of force, we all know these companies would not rush to fix it unless there was a known exploit ripping them to bits.

      If he didn't show an exploit the company would most likely have claimed it was only "theoretically possible". Especially when all that was required was:

      He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

      Complete lack of authentication seems the culprit here, does that make google, yahoo, bing, etc potentially guilty as well? They could have come across it as well (hopefully this company knows about robots.txt), I guess mass spidering the site could yield some interesting results if this flaw exists (yes I know they fixed this one, doesn't mean others don't exist).

      To tell you the honest truth, if someone said change the ID on that URL to get into another account when I'm logged into my online banking I would laugh them out of the room, what scares the F*** out of me is this company is in charge of a couple million retirement accounts (http://www.pillar.com.au/about_us.htm -> http://en.wikipedia.org/wiki/Superannuation_in_Australia).

  2. As the old idiom goes: by magsol · · Score: 5, Insightful

    No good deed goes unpunished.

    Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.

    --
    "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
  3. Good Samaritan Laws by bmo · · Score: 3, Insightful

    In meatspace, there are Good Samaritan laws that say that if you help someone who is in danger, you are not to be sued. Pulling someone from a burning car is not something that should bankrupt the rescuer.

    We need this for e-space.

    If you find a flaw and report it to appropriate people, you should not become a target because you made someone look bad.

    The alternative is to never report a flaw. And no, the argument that you can do it anonymously is bullshit too, because people will fuck that up like they already do.

    --
    BMO

  4. Re:Full-Disclosure by Hatta · · Score: 3, Insightful

    If you find a vulnerability, disclose it. Publicly.

    and anonymously.

    --
    Give me Classic Slashdot or give me death!
  5. Better do a cavity search, for good measure. by FyberOptic · · Score: 4, Insightful

    "Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."

  6. Re:Suppose you live in an appartment. by Onymous+Coward · · Score: 4, Insightful

    That's your idea of a closer analogy? I daresay you are biased and painting things with deceptive license.

    Let's make an honestly closer analogy:

    When opening my apartment door I notice that my key has the apartment number written on it in a special way. Being a locksmith, I get an idea: Does the fancy lock just read the number to determine if the key's good? Because that would be bad. In the same style, I write a different number on my key, the number of my neighbor's apartment, and try it there. It works. We have a problem. I check the whole floor -- all vulnerable to this silliness.

    I call up my locksmith friend and tell him how stupid this is. We have a good laugh and talk about what I should do. The next day I call the apartment manager, explain we've got a real problem, and I tell him what I did. I even walked his handyman through the steps so they could clearly understand. The manager has the problem fixed the next day. Job done, right?

    The thing is, the super sends the cops to talk with me. With my having been a locksmith contractor to the same police force, it went okay, but it left me shaken. I mean, I talked with the super directly and gave him all my contact info. He knows who I am. Why send the cops?

    Later on, the apartment manager sends a notice to everyone in the building, telling them there was a security problem, but it's fixed, and he sincerely apologizes. In particular he says:

    It has come to our attention that a resident of our building devised a way to open your door. Access to your apartment was limited and rectified immediately.

    Please note: This incident was not the result of a targeted attempt to access your apartment. This resident alerted us to the ability to open your lock and advised that your door was only opened when testing the security of his own apartment. The member advised that he has not taken pictures of your apartment or taken any items.

    And now they've sent me a letter telling me they had to inform the police about how I got into the other apartments because it could be a criminal act; that tell me they've locked me out of my apartment; they say they had to spend money to fix this whole lock problem because of me — the nerve! — they say they have the right to get the money it took to fix their problem from me — what! — they say that they want complete access my keys, pens, desk, and tools; and they say that they want me never to look for security problems in the building again.

    Your darn tootin'! If this is the thanks I get! Some people!

  7. large numbers != big evil by Onymous+Coward · · Score: 3, Insightful

    Hm. The URL has my account number in it... I wonder if all accounts are accessible by that param alone? Nah. Well, let's see... I'll just increment the number.

    ACCOUNT=1234
    while true; do
        ACCOUNT=$((ACCOUNT+1))
        wget -nv url://site.with.FAIL.security/showstatement?acct=$i > log.$i 2>&1
    done

    By the time I press Ctrl-c I've hacked over 500 accounts!

  8. Proper Security Disclosure Protocol by X86Daddy · · Score: 3, Insightful

    You go to a web cafe and post it on 4chan, as Anonymous of course. That is what the system has encouraged.