Slashdot Mirror
Australian Teen Reports SQL Injection Vulnerability, Company Calls Police
FuzzNugget writes with an excerpt from Wired, which brings us the latest in security researcher witch hunts: "Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who made purchases through the Metlink web site run by the Transport Department. It was the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne. Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.'"
From the article:
"Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age."
He hasn't been arrested.
Joshua Rogers here. The kid that this article is about.
I want to clear something up..
I have _not_ been arrested(yet).
I have _not_ been questioned(yet).
I have _not_ been officially told that I've been reported to the police(yet).
I'm completly in the blank, as much as the rest of you. .. .... ........
What I'm expecting to happen:
They show up at my doorstep asking questions.
That's it.
They might ask me to sign something that says I have deleted all the data that I saw.
If you have any questions, I can be contacted @megamansec..