Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Threatened With Vulnerability Repair Bill

Posted by Soulskill on from the biting-a-helping-hand dept.

mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."

19 of 231 comments (clear)

  1. Lesson learned by nurb432 · · Score: 5, Insightful

    If you find a vulnerability, don't tell the people at risk, sell it or use it.

    Either that or move to a less stupid country.

    --
    ---- Booth was a patriot ----
    1. Re:Lesson learned by LifesABeach · · Score: 5, Insightful

      Well, lets just backup here a bit. If my neighbor discovers that part of my fence is broken, and walks onto my property to tell me so:
      1. Is the neighbor guilty of Trespassing?
      2. Is the neighbor guilty of causing the fence to be broken?
      3. Is the neighbor guilty of being the cause of the broken fence?
      4. Is the neighbor guilty of Negligence because the fence is broken?
      5. Is the neighbor guilty of Indirect Negligence because the fence is broken?
      6. Is the neighbor guilty of not maintaining the fence?
      7. Is the neighbor guilty of any damage because the fence is broken?

      Some Lawyer in their first year of business is going to carve up a Hedge Fund like a Christmas Turkey. Cheers!

    2. Re:Lesson learned by arth1 · · Score: 3, Insightful

      The problem was that your neighbor, in order to discover whether your fence was broken, tried 600 entry points.

      No, I'm not defending the Australian company and its lawyers, but pen-testing without permission is black hat even if done under responsible disclosure.
      It's one thing to pen-test a device you own, it's a whole different kettle of fish to do the same to a random company.

      If I were Judge Dredd in this case, I'd award the company a 1 cent restitution along with a hefty fine for wasting the court's time, then put the researcher in jail for three months for the crime of stupidity.

    3. Re:Lesson learned by Cyberllama · · Score: 3

      That metaphor breaks down here because there's no way to "see the hole" until you've stumbled through it. In this case, we're talking about changing a value somewhere in an URL or something similar, and getting access to something that isn't yours. You can look at the structure of the URL and make the intuitive leap that there might be an issue and test it out, but there's no way you can know without testing and no point in reporting if you don't know.

    4. Re:Lesson learned by interkin3tic · · Score: 3, Insightful

      Either that or move to a less stupid country.

      "Shoot the messenger" transcends national boundaries. You really want to find a less stupid PLANET to live on.

    5. Re:Lesson learned by HappyPsycho · · Score: 3, Insightful

      He used the appropriate amount of force, we all know these companies would not rush to fix it unless there was a known exploit ripping them to bits.

      If he didn't show an exploit the company would most likely have claimed it was only "theoretically possible". Especially when all that was required was:

      He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

      Complete lack of authentication seems the culprit here, does that make google, yahoo, bing, etc potentially guilty as well? They could have come across it as well (hopefully this company knows about robots.txt), I guess mass spidering the site could yield some interesting results if this flaw exists (yes I know they fixed this one, doesn't mean others don't exist).

      To tell you the honest truth, if someone said change the ID on that URL to get into another account when I'm logged into my online banking I would laugh them out of the room, what scares the F*** out of me is this company is in charge of a couple million retirement accounts (http://www.pillar.com.au/about_us.htm -> http://en.wikipedia.org/wiki/Superannuation_in_Australia).

  2. As the old idiom goes: by magsol · · Score: 5, Insightful

    No good deed goes unpunished.

    Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.

    --
    "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
  3. Good Samaritan Laws by bmo · · Score: 3, Insightful

    In meatspace, there are Good Samaritan laws that say that if you help someone who is in danger, you are not to be sued. Pulling someone from a burning car is not something that should bankrupt the rescuer.

    We need this for e-space.

    If you find a flaw and report it to appropriate people, you should not become a target because you made someone look bad.

    The alternative is to never report a flaw. And no, the argument that you can do it anonymously is bullshit too, because people will fuck that up like they already do.

    --
    BMO

  4. Re:Obviously by Mathinker · · Score: 3, Interesting

    > said access is just changing a number in a url because they have a retarded system

    I wonder just how many of us have come across such idiocies. I know I have, and yes, I didn't report it because the probability that I would get into trouble by doing so was greater than the damage of email addresses being leaked or having a few people getting their bulk email subscriptions erroneously canceled (it was a company which took care of mass emailing for quite a few clients, including a prestigious scientific journal).

  5. Re:Full-Disclosure by Hatta · · Score: 3, Insightful

    If you find a vulnerability, disclose it. Publicly.

    and anonymously.

    --
    Give me Classic Slashdot or give me death!
  6. Service Guarantees Citizenship by mounthood · · Score: 3, Interesting

    The rule should be: Disclosure Guarantees Immunity

    This would lead to some abuse, but it would also lead to disclosure, which is the only way we're going to develop a secure internet. A federal agency could take the reports to keep both sides honest. Immunity could be granted only for what's reported so if people leave something out to hide their malfeasance it wouldn't be covered under immunity. Reports could even be done anonymously if there's an intervening agency.

    --
    tomorrow who's gonna fuss
  7. Re:Obviously by hawguy · · Score: 5, Interesting

    I wonder just how many of us have come across such idiocies.

    I came across one long ago, back when the internet was more open and trusting - a discovered that a remote server had its root filesystem opened to the world via an NFS export. I emailed the administrator for the server and he said "No worries, you may be able to mount it but file permissions prevent you from doing anything unless you have an account on that server". So I emailed back and said that *any* root user on any server could get full access (this was before the root user was routinely mapped to uid nobody). He said "No, if you're not root on my server you can't get access". So I mounted it read-write from my computer, did a "touch /etc/i_have_access" and told him to look at the file I just created.

    He thanked me and stopped exporting the filesystem. If I did that nowadays, I'd likely be facing charges for hacking.

  8. Making one rethink their good deeds. by The+Archon+V2.0 · · Score: 3, Informative

    Less than a year ago I found a similar (though not quite as grievous) flaw in a Kickstarter-like website when I mistyped the URL to my own profile page. I grabbed a handful of info with it; just a few random accounts to proof-of-concept automated grabbing, the technique for which I made note of in an e-mail to their support address. Also, I got the e-mail address of user #1 (unsurprisingly, the implementer), whom I CCed the support e-mail. After a few e-mails of discussion about the precise nature of the flaw, I received a very grateful thank-you from the owner of the company and the head of IT, and the flaw was fixed within the hour despite it being the dead of night in their HQ's time zone. When I see stuff like this, though, it makes me wonder if the next time I trip across something like this I should do the same thing.

  9. Better do a cavity search, for good measure. by FyberOptic · · Score: 4, Insightful

    "Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."

  10. Re:Suppose you live in an appartment. by Onymous+Coward · · Score: 4, Insightful

    That's your idea of a closer analogy? I daresay you are biased and painting things with deceptive license.

    Let's make an honestly closer analogy:

    When opening my apartment door I notice that my key has the apartment number written on it in a special way. Being a locksmith, I get an idea: Does the fancy lock just read the number to determine if the key's good? Because that would be bad. In the same style, I write a different number on my key, the number of my neighbor's apartment, and try it there. It works. We have a problem. I check the whole floor -- all vulnerable to this silliness.

    I call up my locksmith friend and tell him how stupid this is. We have a good laugh and talk about what I should do. The next day I call the apartment manager, explain we've got a real problem, and I tell him what I did. I even walked his handyman through the steps so they could clearly understand. The manager has the problem fixed the next day. Job done, right?

    The thing is, the super sends the cops to talk with me. With my having been a locksmith contractor to the same police force, it went okay, but it left me shaken. I mean, I talked with the super directly and gave him all my contact info. He knows who I am. Why send the cops?

    Later on, the apartment manager sends a notice to everyone in the building, telling them there was a security problem, but it's fixed, and he sincerely apologizes. In particular he says:

    It has come to our attention that a resident of our building devised a way to open your door. Access to your apartment was limited and rectified immediately.

    Please note: This incident was not the result of a targeted attempt to access your apartment. This resident alerted us to the ability to open your lock and advised that your door was only opened when testing the security of his own apartment. The member advised that he has not taken pictures of your apartment or taken any items.

    And now they've sent me a letter telling me they had to inform the police about how I got into the other apartments because it could be a criminal act; that tell me they've locked me out of my apartment; they say they had to spend money to fix this whole lock problem because of me — the nerve! — they say they have the right to get the money it took to fix their problem from me — what! — they say that they want complete access my keys, pens, desk, and tools; and they say that they want me never to look for security problems in the building again.

    Your darn tootin'! If this is the thanks I get! Some people!

  11. Superannuation lawyer talking trash by fenris60 · · Score: 5, Interesting

    In a previous life I worked for an Australian law firm in their financial services division (not Maged's firm thank god). From Maged's profile you can clearly see he is an expert in superannuation law http://www.minterellison.com/People/maged_girgis/. I can say, with 99% certainty, that he has no practical experience in how section 308H of the Crimes Act and section 478.1 of the Criminal Code Act work. I don't claim to either. But the modus operandi of these law firms is that when a big client comes in with a weird request they get a junior lawyer (or crack team of junior lawyers if the billing is low for that month) who doesn't know much about anything to do some "research" and draft a threatening letter based on a few hours of reading some textbooks and legal databases.

    It is possible that the fund does have a right to recover "costs incurred" under pure contract law, although you would have to read the terms and conditions of whatever product Mr Jarrett has with the fund very carefully. But I would think they should be more worried with Mr Jarrett reporting them to the Australian Privacy Commissioner for breach of the privacy principles in relation to the funds obligations to keep personal information secure. I also wouldn't rule out a breach of standards set by APRA (Australia's banking regulator).

    Another funny thing to note is that at the rates which Minter Ellison charges, the cost of getting Maged's junior lawyer to write that letter is likely to be far more than the cost of any actions the trustee of the Fund actually needed to take to deal with the problem!

    I could go on, but I'm worried they might track me down and start sending me random threats and try to access my computer.

  12. large numbers != big evil by Onymous+Coward · · Score: 3, Insightful

    Hm. The URL has my account number in it... I wonder if all accounts are accessible by that param alone? Nah. Well, let's see... I'll just increment the number.

    ACCOUNT=1234
    while true; do
        ACCOUNT=$((ACCOUNT+1))
        wget -nv url://site.with.FAIL.security/showstatement?acct=$i > log.$i 2>&1
    done

    By the time I press Ctrl-c I've hacked over 500 accounts!

  13. Proper Security Disclosure Protocol by X86Daddy · · Score: 3, Insightful

    You go to a web cafe and post it on 4chan, as Anonymous of course. That is what the system has encouraged.

  14. Patrick Webster email to IT staff by aushack · · Score: 5, Informative

    Hello, I am Patrick. I cannot reproduce the email their staff replied with, except it says something along the lines of thank you for raising this matter for our attention and that is was fixed within an hour or two. Below is my email to them, with certain parts redacted, which includes the heavily debated script. The email was a follow up after a lengthy discussion with staff and they were most thankful for the call. I'm publishing this just so that you are better informed and can form your own opinions based on this. From: Patrick Webster [mailto:patrick@osisecurity.com.au] Sent: Thursday, 22 September 2011 1:26 PM To: [REDACTED] Subject: Privacy breach in pillar.com.au website Hello [REDACTED], Thanks for taking the time to speak with me today. As mentioned, I am a FSS member from my time a NSW Police Force. My personal background is in IT Security and I am the owner of OSI Security (www.osisecurity.com.au). You're welcome to see my personal history at http://www.linkedin.com/in/patrickwebster - the past 10 or 11 years I have been working in securing information systems etc, which is how I came across this bug. Yesterday, I received the FSS email notification to download my member statement. So I logged in to the pillar / FSS members portal and went to statements and clicked to download the statement, which is in PDF format. My *personal* statement is at https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 You're welcome to have a look (I have [REDACTED] in super, yay). So after I saw my statement I noticed the 'documentId' number and, based on my security background, I have natural concerns my information is stored securely. So I incremented the number to see what happens (expecting to be rejected); I.e. https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 becomes https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D9&page=0 Amazingly (and coincidentally I might add) the statement I downloaded is my former colleague at [REDACTED] (if you look at my LinkedIn profile and see my connections you will see that we are connected). I then did a random spot test to see if it worked for any number, which indeed it did. I quickly wrote a linux bash script to enumerate documentId numbers and discovered it worked. Script source is below: #!/bin/bash #[REDACTED] for i in {[REDACTED]..[REDACTED]} do echo $i wget "https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-$i&page=0" --no-cookies --header "Cookie: [REDACTED]" done You can see the script runs from [REDACTED]..[REDACTED] in member numbers (just a guess on my part) and then tells the wget software to fetch the documentId with the 'for loop' number which is $i. I was then able to download every member statement, including my own of course. Naturally I find this extremely concerning so contacted you today (I found this around 9pm last night). All the data I obtained has been destroyed / deleted but validated my concerns. Ideally the pillar website should generate some kind of hash (such as member ID + unique salt = 'documentId') instead of a direct object reference. See: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References That is about it... if you have any questions please contact me via email or details below. Kind Regards, Patrick Webster ...