Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Threatened With Vulnerability Repair Bill

Posted by Soulskill on from the biting-a-helping-hand dept.

mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."

8 of 231 comments (clear)

  1. Lesson learned by nurb432 · · Score: 5, Insightful

    If you find a vulnerability, don't tell the people at risk, sell it or use it.

    Either that or move to a less stupid country.

    --
    ---- Booth was a patriot ----
    1. Re:Lesson learned by LifesABeach · · Score: 5, Insightful

      Well, lets just backup here a bit. If my neighbor discovers that part of my fence is broken, and walks onto my property to tell me so:
      1. Is the neighbor guilty of Trespassing?
      2. Is the neighbor guilty of causing the fence to be broken?
      3. Is the neighbor guilty of being the cause of the broken fence?
      4. Is the neighbor guilty of Negligence because the fence is broken?
      5. Is the neighbor guilty of Indirect Negligence because the fence is broken?
      6. Is the neighbor guilty of not maintaining the fence?
      7. Is the neighbor guilty of any damage because the fence is broken?

      Some Lawyer in their first year of business is going to carve up a Hedge Fund like a Christmas Turkey. Cheers!

  2. As the old idiom goes: by magsol · · Score: 5, Insightful

    No good deed goes unpunished.

    Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.

    --
    "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
  3. Re:Obviously by hawguy · · Score: 5, Interesting

    I wonder just how many of us have come across such idiocies.

    I came across one long ago, back when the internet was more open and trusting - a discovered that a remote server had its root filesystem opened to the world via an NFS export. I emailed the administrator for the server and he said "No worries, you may be able to mount it but file permissions prevent you from doing anything unless you have an account on that server". So I emailed back and said that *any* root user on any server could get full access (this was before the root user was routinely mapped to uid nobody). He said "No, if you're not root on my server you can't get access". So I mounted it read-write from my computer, did a "touch /etc/i_have_access" and told him to look at the file I just created.

    He thanked me and stopped exporting the filesystem. If I did that nowadays, I'd likely be facing charges for hacking.

  4. Better do a cavity search, for good measure. by FyberOptic · · Score: 4, Insightful

    "Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn't take anything of mine."

  5. Re:Suppose you live in an appartment. by Onymous+Coward · · Score: 4, Insightful

    That's your idea of a closer analogy? I daresay you are biased and painting things with deceptive license.

    Let's make an honestly closer analogy:

    When opening my apartment door I notice that my key has the apartment number written on it in a special way. Being a locksmith, I get an idea: Does the fancy lock just read the number to determine if the key's good? Because that would be bad. In the same style, I write a different number on my key, the number of my neighbor's apartment, and try it there. It works. We have a problem. I check the whole floor -- all vulnerable to this silliness.

    I call up my locksmith friend and tell him how stupid this is. We have a good laugh and talk about what I should do. The next day I call the apartment manager, explain we've got a real problem, and I tell him what I did. I even walked his handyman through the steps so they could clearly understand. The manager has the problem fixed the next day. Job done, right?

    The thing is, the super sends the cops to talk with me. With my having been a locksmith contractor to the same police force, it went okay, but it left me shaken. I mean, I talked with the super directly and gave him all my contact info. He knows who I am. Why send the cops?

    Later on, the apartment manager sends a notice to everyone in the building, telling them there was a security problem, but it's fixed, and he sincerely apologizes. In particular he says:

    It has come to our attention that a resident of our building devised a way to open your door. Access to your apartment was limited and rectified immediately.

    Please note: This incident was not the result of a targeted attempt to access your apartment. This resident alerted us to the ability to open your lock and advised that your door was only opened when testing the security of his own apartment. The member advised that he has not taken pictures of your apartment or taken any items.

    And now they've sent me a letter telling me they had to inform the police about how I got into the other apartments because it could be a criminal act; that tell me they've locked me out of my apartment; they say they had to spend money to fix this whole lock problem because of me — the nerve! — they say they have the right to get the money it took to fix their problem from me — what! — they say that they want complete access my keys, pens, desk, and tools; and they say that they want me never to look for security problems in the building again.

    Your darn tootin'! If this is the thanks I get! Some people!

  6. Superannuation lawyer talking trash by fenris60 · · Score: 5, Interesting

    In a previous life I worked for an Australian law firm in their financial services division (not Maged's firm thank god). From Maged's profile you can clearly see he is an expert in superannuation law http://www.minterellison.com/People/maged_girgis/. I can say, with 99% certainty, that he has no practical experience in how section 308H of the Crimes Act and section 478.1 of the Criminal Code Act work. I don't claim to either. But the modus operandi of these law firms is that when a big client comes in with a weird request they get a junior lawyer (or crack team of junior lawyers if the billing is low for that month) who doesn't know much about anything to do some "research" and draft a threatening letter based on a few hours of reading some textbooks and legal databases.

    It is possible that the fund does have a right to recover "costs incurred" under pure contract law, although you would have to read the terms and conditions of whatever product Mr Jarrett has with the fund very carefully. But I would think they should be more worried with Mr Jarrett reporting them to the Australian Privacy Commissioner for breach of the privacy principles in relation to the funds obligations to keep personal information secure. I also wouldn't rule out a breach of standards set by APRA (Australia's banking regulator).

    Another funny thing to note is that at the rates which Minter Ellison charges, the cost of getting Maged's junior lawyer to write that letter is likely to be far more than the cost of any actions the trustee of the Fund actually needed to take to deal with the problem!

    I could go on, but I'm worried they might track me down and start sending me random threats and try to access my computer.

  7. Patrick Webster email to IT staff by aushack · · Score: 5, Informative

    Hello, I am Patrick. I cannot reproduce the email their staff replied with, except it says something along the lines of thank you for raising this matter for our attention and that is was fixed within an hour or two. Below is my email to them, with certain parts redacted, which includes the heavily debated script. The email was a follow up after a lengthy discussion with staff and they were most thankful for the call. I'm publishing this just so that you are better informed and can form your own opinions based on this. From: Patrick Webster [mailto:patrick@osisecurity.com.au] Sent: Thursday, 22 September 2011 1:26 PM To: [REDACTED] Subject: Privacy breach in pillar.com.au website Hello [REDACTED], Thanks for taking the time to speak with me today. As mentioned, I am a FSS member from my time a NSW Police Force. My personal background is in IT Security and I am the owner of OSI Security (www.osisecurity.com.au). You're welcome to see my personal history at http://www.linkedin.com/in/patrickwebster - the past 10 or 11 years I have been working in securing information systems etc, which is how I came across this bug. Yesterday, I received the FSS email notification to download my member statement. So I logged in to the pillar / FSS members portal and went to statements and clicked to download the statement, which is in PDF format. My *personal* statement is at https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 You're welcome to have a look (I have [REDACTED] in super, yay). So after I saw my statement I noticed the 'documentId' number and, based on my security background, I have natural concerns my information is stored securely. So I incremented the number to see what happens (expecting to be rejected); I.e. https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D8&page=0 becomes https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-%5BREDACTED%5D9&page=0 Amazingly (and coincidentally I might add) the statement I downloaded is my former colleague at [REDACTED] (if you look at my LinkedIn profile and see my connections you will see that we are connected). I then did a random spot test to see if it worked for any number, which indeed it did. I quickly wrote a linux bash script to enumerate documentId numbers and discovered it worked. Script source is below: #!/bin/bash #[REDACTED] for i in {[REDACTED]..[REDACTED]} do echo $i wget "https://services.pillar.com.au/FSSMembers/secure/Statement.aspx?documentId=107/1388-$i&page=0" --no-cookies --header "Cookie: [REDACTED]" done You can see the script runs from [REDACTED]..[REDACTED] in member numbers (just a guess on my part) and then tells the wget software to fetch the documentId with the 'for loop' number which is $i. I was then able to download every member statement, including my own of course. Naturally I find this extremely concerning so contacted you today (I found this around 9pm last night). All the data I obtained has been destroyed / deleted but validated my concerns. Ideally the pillar website should generate some kind of hash (such as member ID + unique salt = 'documentId') instead of a direct object reference. See: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References That is about it... if you have any questions please contact me via email or details below. Kind Regards, Patrick Webster ...