Slashdot Mirror
How Do You Handle the Discovery of a Web Site Disclosing Private Data?
An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?
Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.
Those people will definitely take your info and get it acted upon.
Send them a cease and desist
I personally have seen all kinds of cases where a disaster is required before anybody decides they want to harden their information security.
That said, you might consider just leaking some of these documents to the open internet by simply pasting the URL to public places. For example, put it on twitter and give it an irrelevant but popular hashtag. Then it hits a major news site, and you know the rest.
The trick is doing it without leaving a trail to yourself, otherwise you'll end up like those guys who found that AT&T link to the iPhone accounts.
... That way we can help, too.
Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?
You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
That's the same kind of flub that led, eventually, to weev getting caught.
Now, mind you, weev is a troll, an asshole, and tried to profit off it, so you might be able to get away without CFAA charges if you avoid being a nazi troll and trying to extort 'em for money...but technically, you're already up for "circumventing" a "security control" so you may want to get a lawyer involved - and have your lawyer handle the negotiations with the institution.
You called the bank and admitted manipulating the site in order to view other people's private financial information.
Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).
Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.
Troy Hunt has a great article here on the responsibility of public disclosure:
http://www.troyhunt.com/2013/0...
Too late...our anonymous submitted has already outed himself to the bank, and even if he hadn't, there should be enough of a trail in the server log to find it was him.
Please don't take this guy's advice!
Sure way to get yourself in trouble by trying to help.
If any of this was true, you'd be arrested for hacking by now. The whole thing is probably made up.
This is dead wrong. Bad advice.
"Leaking" in this manner is a federal offense.
The answer is to keep pressing and travel up the chain of command.
Do not embed any compromising links in an email. Do not use email at all. Emails are discoverable in litigation.
Use your own telephone. Do not involve your business.
When you find a person who has a major cow when you tell them what you've found, give an example URL on the phone.
Check the site now and then for compliance, but do it using someone else's junk. It sounds like you know how to do that.
It little behooves the best of us to comment on the rest of us.
I personally have seen all kinds of cases where a disaster is required before anybody decides they want to harden their information security.
That said, you might consider just leaking some of these documents to the open internet by simply pasting the URL to public places. For example, put it on twitter and give it an irrelevant but popular hashtag. Then it hits a major news site, and you know the rest.
The trick is doing it without leaving a trail to yourself, otherwise you'll end up like those guys who found that AT&T link to the iPhone accounts.
you know I think this was weev's approach to the att/ipad info leak, and look where it got him. although it turns out he was a scumbag doxxer, so no tears shed here.
Isn't that how weev discovered the ATT flaw?
Be very vey careful.
You contact them anonymously. Over Tor. After you've exposed a few links so that they can't just look at the logs and come back to you.
Seriously, you tried to do the right thing -- but the people that own sites like this never do the right thing. They just try to gather evidence and treat you like a criminal to lock up. Any proof you have is just evidence against you.
The best, only, and only reasonable option is to either sell it or go total disclosure.
It sucks, but this is the world prosecutors cause.
In the meantime, I still have private financial information I consider to be publicly available. [...] So, Slashdot, how would you handle this situation?
I'd certainly start by deleting my info there!
Attention zealots and haters: 00100 00100
Post the URL in a Slashdot article. There's a good chance a technical person in the company will read it. And since the site will be Slashdotted, you're probably not exposing any data. :)
Do not forward or show to anybody but legal.
This are the kind of issues that can get you (and your company) in very nasty legal trouble. Reporting the situation to the legal depart of your company is your only SAFE option. Once you make the report do your best to destroy and sanitize yourself from the data (following company procedures).
And just to be on the safe (semi-paranoid) side, keep a copy of all communication with legal including records of dates, times and name of everybody you talked too on the phone (about the subject).
DO NOT CALL THE BANK. DO NOT DISCLOSE THE INFO TO OTHERS. CALL THE LEGAL DEPARTMENT AND LET THEM DEAL WITH THE SITUATION.
Either the place is incompetent or made a deliberate design decision. Either way, your best move is to simply move on. There's plenty of competition out there.
Do not reveal the information to anyone else, and don't go poking around.
Call their privacy officer.
Call the local regulatory body.
Call the media.
Contact their regulator.
You learned hacking 101. Seriously, this is nothing new. This is a design flaw with how the url can be manipulated to find things you shouldn't have access to.
Try mailing security@companydomain.com. Follow-up on Monday by calling the company's headquarters and asking for the CSIO (chief security information officer). If neither of those work, ask to speak to the CIO's or COO's office.
When they arrest you simply tell the just you were responding with "best practices" in the industry and did not thwart any security measures. Then request the case be dropped. It's called responsible disclosure.
Close your account with them. When they ask why. Tell them you assessment of their security procedures are bad and will be easily hacked. DO NOT GO ANY FURTHER THAN THAT. Leave it very vague and hand wavy. Under no circumstances tell them what is wrong. Leave that to someone else like what someone else suggested krebs or cert.
Nothing will be done by them other than them getting mad at you. End the relationship with them.
This pretty much is what will happen to you.
http://www.slideshare.net/Lanc...
They will follow the 5 stages of grief.
The fact you trivially hacked them says they are not even aware they have an issue. Which means they will shoot the messenger.
Nuke it from orbit. It's the only way to be sure.
Join the IParty!
Gather all the information and place it in an encrypted file; post the encrypted file to "the darknet". If legal action goes against you, you still have the trump card of bankrupting them in illegal disclosure fines.
Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.
Here is what I would probably do:
1. Remove all of my own assets from the company/institution.
2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.
3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.
4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.
5. Shut up and go about your business.
Most Respectfully Yours Mark Allyn Bellingham, Washington
Talk to, call, or send an email to your boss If he's not an idiot things will end soon. If that doesn't work. If' you have a contract. read it carefully, find the exit clause and use it.
do not share proof with anyone but the company who is leaking the data, or things will go horribly wrong.
http://en.wikipedia.org/wiki/Goatse_Security#AT.26T.2FiPad_email_address_leak
- R
Every time someone has tried to be the nice guy its backfired. You see something like this? Keep your mouth shut and forget it even happened.
Only the State obtains its revenue by coercion. - Murray Rothbard
I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.
FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.
You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.
-- I was raised on the command line, bitch
If you really want to do it yourself, plug the domain name in here (just the domain name, no "www." prefix) http://www.networksolutions.com/whois/index.jsp and send an email to the Tech and Administrative email contacts. Include the webmaster@ , security@ , abuse@ and postmaster@ addresses. If they have an Investor Relations contact email address or form, use it. The IR mailbox is watched very closely in all companies and is a better contact than trying to guess the CEO's email address. I have never had a note to the IR contact go unanswered for any problem.
But use TOR to do it or go the Brian Krebs route. For the last incident response exercise I wrote for the bank where I work, the last paragraph was "The phone rings. It is a security blogger named Brian Krebs. He has found our information on a server in a foreign country."
What was the most common question about the scenario from bank senior managers? "Who does this Brian Krebs think he is anyway?" Your worst nightmare, oh corporate one.
They're probably just handing your info over to the feds, you devious hacker!
It is a security hole and all the dire warnings by others are true. Most of these companies are run by people with no IT or computer expertise. The top man is going to haul the IT dept on the carpet and demand an explanation. You think the IT chief is going to admit that he/she was running a moronic system? No, she/he is going to shift blame and find some convenient scape goat. Given the top honchos don't know much about anything other than their bonus calculation, IT chief is going to claim, "It is a hack! That guys hacked into my super secure site". Then the PHBs running the company would call in the lawyers and make a mess out of the situation.
One thing the anonymous guy can do is to call the company that issued the mail-in-rebate and tell them, the outfit they had out sourced their rebate processing has holes in the system. Now it is the very big company that issued the rebate coupons run by PHBs fighting a smaller company that got the rebate processing contract run by PHBs. And quietly withdraw without drawing too much attention.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Go directly to your FSA (or FBI) field office. This shit has the potential to cost MILLIONS if not dealt with IMMEDIATELY, and you could be implicated having knowledge of such vulnerability and not reported it to competent authorities.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
you know I think this was weev's approach to the att/ipad info leak, and look where it got him. although it turns out he was a scumbag doxxer, so no tears shed here.
Tears should be shed for the terrible precedent it set for everyone else.
They always go after the icky and unsympathetic people in the beginning.
Accept this, as you have uncovered something they didn't know and can potentially damage them.
I did this with a government tax office and tried to alert them by calling the very number they advertised to handle this sort of issue. The response went like this:
The problem is, you want to help them and all they can see is 'random person the phone saying we have a problem' so it is easier to solve you. If the company is responsible enough to have a CERT team and a reporting mechanism you may stand a chance but it is more likely you will draw their ire because you can hurt the companies reputation.
If you can't change institutions then you should consider establishing what their data privacy policies are, hire a lawyer and then frame legal action to protect your own data whilst seeking damages to the value of your life earnings for exposing you to identity theft and fraud. You should be pissed off.
They won' t play nice so neither should you. Seek legal advice about the possibility for damages because you have been exposed to fraud. Leave it to them to discover the mechanism, because if they are that bad there are probably more.
My ism, it's full of beliefs.
http://occ.gov/ for most banks, savings institutions and their major vendors. http://www.ncua.gov for credit unions. https://fdic.gov/ for others. A call from their primary regulator will get action that day. If it's a local state FI, do the same thing. If they're in New York, they're in big trouble. Benjamin Lawsky is more feared than the feds.
You call and report this vulnerability. You think you are a hero. But look at it from their point of view.
First they verify the problem, and its true. Now they know at least ONE person, you, knows about it. Do you think ..."
they are going to tell you "we been aware of it for three years, but no one knew..." or maybe "... we followed up on
what you said, but it will be several weeks before we can fix it
Responding to you might lead more hacks. Consider you *already* reported it to Slashdot. If I was them I would
work quietly on this and never respond to you. For all they know, you are ISIS.
Well as others have already stated, you already made the rookie mistake of trying to report the issue and gave them your name and contact information. Now you are on the record as having breached their "security", even as pathetic as it is. When big money is possibly involved (as it would be in the case that financial information of hundreds/thousands of people are involved), you just became the "scapegoat". They will now use you as "hacking" them to attempt to make claims on their insurance to cover the cost of fixing the problem. That also means they will need to report to law enforcement, etc., to have the case brought forward.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.
The man who discovered it was prosecuted for hacking their website:
http://www.scl.org/site.aspx?i=ed832
"He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "
"But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "
DO NOT DISCLOSE THE INFORMATION TO ANYONE ELSE!!!! I can't state that enough. Also, DO NOT ACCESS IT EVER AGAIN!!!!!! I also can't state that enough either. Any subsequent accesses/"breach" of their security will be blamed on you, and used as evidence that you sent others the information, since you were the only one who knew. Anything anyone else does will be painted as you working in conjunction with a "group of hackers" in an attempt to defraud others, or even possibly extort the company in some way. Any continued access attempts on your part will be used to show that it wasn't a onetime mistake that let you uncover the issue, and that you continued to "hack" the site over a period of time.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Your thinking of Dan Cuthbert I think. A UK case, he donated money to a charity page then entered a directory traversal. Most likely /.. into the URL.
http://www.scl.org/site.aspx?i=ed832
(Slashdot is one dot away from a crime!)
It was a real face palm moment for the British Justice system that they prosecuted him. In effect they said "a directory traversal would not have been authorized, therefore this is unauthorized use of a computer, hence a crime".
A law designed pre-internet, yet the RFC for the web permits those URLs and their server provides the RFC interface therefore its for them to handle what data they return on what URLs. In this case they returned a 404 error page or similar. WHICH IS EXACTLY WHAT THEY SHOULD HAVE DONE, as per the spec.
What point did it become a crime? When Judges the are also pre-internet get involved.
Thats how everyone deals with crap that fucks with their stuff. Ask Al Capone or the US Government, or even ask Kim Dot Com, they all do the same thing, cap in the arse.
Agree. The AT&T mob were not hammered in court for finding a flaw, they were hammered because they attempted to use the flaw to extort money.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Give them, maybe, one day to respond to your complaint. If they do not respond to your satisfaction, close your account and go elsewhere. It's your money. If they won't take good care of it, someone else will.
linquendum tondere
That's a confidential web forum that handles cases like this. Just provide the sensitive details and they'll take care of it from there. It's @ 4chan.org.
1. Send it to wikileaks.
2. Send anon email to company saying the information has been posted tow wikileaks.
3. Watch them have massive coronaries.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
What in the fuck are you doing here
Such as the fucking police where the headquarters are. No joke. that's what i'd. id not sit on my fucking ass and ask fucking dicedot
What the fuck is this question?
Better yet, download and print out each one you can get and mail them with a cover letter that says something like this to each one:
- - -
Hi, [name and address of account-owner].
You don't know me, but I was a customer of [financial institution] and noticed that by typing the following URL into my browser, ([URL],) I was able to view your personal information. You can verify this by typing the same information into your browser and observe how you can view your personal information WITHOUT logging in. I brought this to the attention of the company's officers on [date] and as of [today's date] they have done NOTHING WHATSOEVER TO FIX THIS.
It's entirely up to you, but as this organization obviously is either incompetent or just doesn't give a shit about your personal data and its security, you might want to rethink having a business relationship with these clowns.
Sincerely,
A former customer of [financial institution].
- - -
Also, make sure to move to a country beyond the reach of the US Government BEFORE doing this, and be prepared never to return, because despite what you might have heard to the contrary, this country's rulers don't LIKE whistleblowers, nor do the people who corruptly own them, and if the institution in question is sufficiently well-heeled, they may own some of the people who "represent" you in "government". Just a word to the wise, as they say.
They handle most US cyber crime investigations. Hopefully, they have some interest in plugging such leaks before things get criminal.
http://www.justice.gov/criminal/cybercrime/reporting.html
http://www.fbi.gov/contact-us
http://www.fbi.gov/about-us/investigate/cyber
http://www.ic3.gov/default.aspx
Send a postal letter to the CEO of the financial institution. Explain the problem. Give the institution a deadline for action. Since I found no actual disclosure of information in my case, I gave the institution a month. In your case, a week should be the maximum.
If you do not hear back in a week, send a postal letter to the government agency that supervises the institution (e.g., SEC, Controller of the Currency, FDIC). Send a copy to the federal Consumer Financial Protection Bureau. Postal addresses are available online for such agencies.
It helps if the institution's privacy policy indicates such disclosures are not permitted. In that case, insist that the government agency enforce the institution's privacy policy.
You don't want to end up like Weev, even though they did eventually let him out of jail. And you're apparently not somebody who's got the kind of personality he has, which, while it may make you less likely to end up in jail, isn't necessarily going to get you off the hook either.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I would e-mail, not telephone. Phone calls are too short and simplified.
Before you hit Send, trace through an exact example and describe every step in the e-mail message. I expect that the Customer Service Representative won't understand it. But with an e-mail he can forward it to somebody who will understand the security flaw.
That's what I would do.
Is the screw-up on their side going to cost them tons of money, potentially? Either by hack, or just lawsuit when someone else is damaged by the obtainable information?
I just thought of this, and haven't had trime to nitpick it to death, but why not hire a lawyer to set you up as a "consulting firm" LLC or something simple/small and then have HIM contact them and negotiate disclosure of the problem for a fee he splits with you? He's bound by attorney-client privilege and you're (hopefully) not personally liable. Your little company goes away if you lose, and that's the end of it.
I'm sure there are plenty of people telling me to get my head out of la-la land, but it seems logical enough to this sleep-deprived idiot. :)
What terrible precedent? He used the exploit to gather the details of 100k+ users before reporting the issues through the media.
If you find a flaw at your local bank and opt to break in to it to demonstrate it to the reporter whose info you gathered during the break-in... don't be surprised if you go to jail for a decade or so for robbery.
> If you find a flaw at your local bank and opt to break in
What is it with the shit bank analogies today?
There was no breaking in. What he did was the equivalent of asking a bank teller for the info and the teller gave it to him no questions asked. It isn't like the data was secured in any way, he didn't crack passwords, he didn't log in as another user, he didn't use any one else's credentials, he didn't do anything even remotely duplicitous, all he did was send a completely mundane request to the webserver.
use at least 14 proxies and post the details all over 4chan. the ensuing shitstorm will get the problem fixed PDQ.
Snowden and Manning are heroes.
There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.
(IANAL)
He apparently leaked information about 140,000 accounts. His sentence was vacated and conviction reversed on appeal because the appeals judge felt he should have been tried in his home state.
It's too bad this judge was not available for the "Amateur Action" computer porn case in 1996 (http://fac-staff.seattleu.edu/mchon/web/Cases/thomas.html).
> DO NOT DISCLOSE THE INFORMATION TO ANYONE ELSE!!!!
And if I notice your head stuck up up your ass, I shouldn't mention it so you can try to pull it out, or maybe hand you a straw to breathe through?
Just name them anonymously, this is the only way executives move, bad press. Example, that time A UPS driver threw a TV over a fence. They guy had a video. At first they refused to pay to replace it, so he posted it to youtube and sent a copy to the 10 o'clock news. They paid up pretty fast. Their are tons of examples like this. You might think you are protecting people by hiding the bug, but you are not.
I stumbled across a world-public anonymous FTP site full of pirated movies, software, and PDFs of textbooks for various certification exams through a Google search. It's hosted on an official .gov domain (well, x.y.z.gov) I assume it's some sysadmin's private horde, poorly configured.
It's still up, over a year later. I didn't report it because I didn't want to get charged with a violation of the CFAA for accessing said "private" site without permission, even though it was literally a search engine click away.
and contact the persons whose privacy was violated in the documents. You probably can not sue, they can.
Make sure to contact a lawyer first.
Start posting those other documents to the web. One by one each day. Send the link to customer service and CEO. And Google.
Take it down again when they fixed it.
Don't worry...nobody's got anything to hide anyway. ;-)
I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me.
Presumably, then, your data is viewable to others. First thing I'd do is demand that my data gets removed until the problem is fixed. Then I'd tell everyone who needs to know that I won't be uploading any more documents to this other website until someone else tells me I must, thereby taking responsibility for me doing so.
Mind you, I'm in the fortunate position of having directors who take me seriously when I tell them things like that.
systemd is Roko's Basilisk.
I would try to determine Step 2:
1. Discover a web site disclosing private data.
2. ???
3. PROFIT!
Don't fornicate. Seriously, just don't do it.
Follow this website, www.ceoemail.com
Genuine site BTW.
Find the CEO E-mail report it to them. Be Nice. You may get something out of it as I often do and also your problem fixed.
The only problem here is the cost. At $0.50 a stamp, unless it's an extremely small customer base, OP is going to have to take advantage of the vulnerability in order to fund telling people about the vulnerability.
Threaten to sue them and if they fail to act post details of the vulnerability. What's the name of this 'partner web site' again?
Email the CEO, keep the body of the email short and simple enough for an IT illiterate to undestand the problem. Don't worry him/her about the consequences of the problem. Be sure to use a click bait subject line (they're probably very busy) e.g. Your account details for account [their bank account number] are attached. Don't forget to attach their bank account details
Oh - and don't do any of this from your computer - or via your internet connection. And don't expect credit, just that the problem will be rapidly fixed - which is what you want, right?
a) You'll become a suspect b) In my experience, they probably won't listen to you c) You have nothing to gain but negatives.
Don't tell them you've accessed anyone else's account. Focus only on your own information that's open available. If you do your the one harmed and can sue to fix the problem. Otherwise you're a hacker and expect to get incarcerated.
This seems like a good article to share this litte anecdote:
A few years ago I took a class in a very tiny and highly specialized college. Coursework was to be submitted via a homemade online platform. After the submission, revisions or seeing your work until it was graded were not allowed.
Except when you changed the URL to the submission page of the particular assignment, then you could see your work, revise it freely and submit it again anytime without anyone noticing.
When I told the teacher about this security hole at the end of the class, he said he knew about it since the setup of the platform, but he simply expected that people would not use it. He told me that there was an even bigger hole where students could see the submissions of everyone else.
However, their coursework platform has since been succeeded by a completely different platform.
Lesson learned: Some people actually think that honesty is the best security.
Killing the leaders of our allies is the way of the Democrats. They hate us. They won't rest until every American is starving and unemployed. It is their way.
Because the CFAA is being abused in this realm, major nations need to pass responsible disclosure laws that protect people who report security flaws so long as they follow proper procedure.
Report the vulnerability to CERT.
https://forms.cert.org/VulRepo...
http://www.cert.org/vulnerabil...?
So, you hacked into someone else's private information, and then informed the website in question that you hacked them?
Expect a visit from the FBI.
but that's putting you in bed with the weasels.
take some IT guys out for lunch with their laptop, show them how to lose their appetite. on a company computer.
things will happen at a good rate of speed.
if yoiu happen to have one of the security guys along, that will seal it quickly.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Immediately move my accounts to another financial institution. Not only have they not dealt with the security threat, they have no procedure in place to immediately escalate security threats.
Go to a competitor, ask if they have the same problem. If not, take out your assets. deposit at the competitor. Competitor will use this as a way to lure customers away from the offending institution.
Fine. You're right of course. Use email then.
Do NOT try to confirm your theory by accessing a modified URL that would retreive data beloning to another user.
Careful, people like you have been locked up for less. Even though your intentions are good.
The fact you changed a URL and obtained data
makes you a hacker, and criminal. Say nothing,
do nothing, as you'll be arrested as soon
as the FBI finds out.
As other replies have said, you are probably better off getting a lawyer BEFORE you go to the bank or anyone else.
Why?
1) If they've already discovered this themselves they may be working with the FBI and there may be a subpoena in your ISP's hands within minutes of you making your discovery.
2) Even if there isn't, the veiled threat of prosecution can be very intimidating.
3) By having your attorney speak to the bank and/or the government/police authorities for you BEFORE the police contact you, it will be abundantly clear to the police that you are just a good citizen and that it would be a political mess if they threatened to press charges or ignore the problem.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
... contact DHS and tell them you were at the library and you saw a guy with a scimitar and a Koran downloading private banking information. It will still likely be months before anything changes, but at least you'll know enough bankers are getting adequately inconvenienced in the affair.
I think that was covered in web programming 101 URL redirects/Directory transversal.
I am Bennett Haselton! I am Bennett Haselton!
You should have immediately contacted the FCC and FTC and Better Business Bureau!
Data that you may consider private to you, may not be protected under Non Public Information (NPI) , depending on the regulations and regulatory bodies for such industry segment. Generally NPI data for financial purposes is date of birth, social security, credit / debit card numbers, transaction accounts (checking , savings) against which binding transactions can be secured.
Can you enlist data points that you consider to be private data, along with industry segment involved ?
I know others have said it, but, here is a link: https://www.ic3.gov/default.as... Going to law enforcement with the issue, should be a decent shield from prosecution. IANAL, so take this with a big grain of salt. So, maybe talk to a lawyer and ask them to file the complaint.
Fallen Kell's advice is the reality. If you ignore that advice, at least do not access any further and wait at least a year to provide anonymous notification, then pray your previous access has aged out of any access logs. It's kind of pathetic that this is the state of things. It would be nice if we had some kind official notice an individual could file that states the nature of a discovery and puts the company in a legal position to fix it or face increased liability while providing the reporting party safe-harbor protection. Persecuting even basic white hat security testing is so counter productive to our collective security it's just sad. If we can't allow the good guys to be safe in reporting issues, then clearly only the bad guys will have the knowledge until it's too late and the damage is done.
Letting Krebs know is a good idea... but email support at the bank, or even send the bank snail mail, with the info. Send it with delivery confirmation. And, at the bottom, add
cc: SEC
so they know you're serious. And really and truly, contact the SEC, which regulates banks, and esp. with all the bank problems lately, I'll wager they're really, really interested in this.
Oh, call them back, and ask for "their legal service address". That will get someone attention, for real.
Last option: get a lawyer to write a lawyer letter to the bank. This will also get their attention.
mark
You suspect that a bank leaves the door to their building containing their customers money unlocked. Do you a) check to see if the door is open b) tell the bank it might be unlocked c) call the police? All of the above a) because the door doesn't say keep out anywhere b) because your money is in there c) because the banks negligence can and will cost you your money.
Welcome to the world of lousy and non existent customer service. I had a issue with a bank and wanted to talk with a supervisor - "No can do" said the customer service person.... they will contact you - that never did happen. Was reading an old hacker magazine (2600) from about 2008, where Target stores credit card system was noted to be lax in security. So go figure, in this time and age of people not being paid enough to really care about the customers, or company, they work at....why should they bother to be concerned.
Step 1: Gather information from other people based on the poorly designed portal.
Step 2: Begin contacting the people whose information you received. Tell them that this site just provided you with their information and you thought that they might want to know that these people were linking their information.
When they start receiving pissed off calls from people whose information has been leaked, and, especially if they call law enforcement and offer up lawsuits, things change.