Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Posted by samzenpus on from the what-to-do-and-what-not-to-do dept.

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

13 of 230 comments (clear)

  1. If you're in the United States, get a lawyer by Anonymous Coward · · Score: 5, Informative

    You called the bank and admitted manipulating the site in order to view other people's private financial information.

    Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).

    Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.

    1. Re:If you're in the United States, get a lawyer by Anonymous Coward · · Score: 2, Informative

      About 20 years ago I had something similar happen, I emailed people about a bug (not even as important as people's financial data, but still similar). It was a large company (30B market cap). Anyways, I received no response and didn't really think much of it, Several months later, the local FBI team came in and took all my computers, we had a short meeting with them about a year later, where they explained that I had hacked and then threatened that company, And then never heard from them again. This was back when I was using POP3 so I don't even have the email to know what I said, it may have have sounded like a threat, I honestly don't remember. My guess is shortly after my email something happened, and they found the email, which was through my ISP at the time, and contacted them assuming I had done it. As near as I can tell, they had logs that I visited the site, but nothing more as evidence.

      Anyways, my advise from this experience is to unfortunately keep it to yourself, be very careful when trying to be the good guy here. Since you've already started, you might be wise to contact a lawyer...

    2. Re:If you're in the United States, get a lawyer by bigtrike · · Score: 3, Informative

      The one time I ran into this, I informed the company from an anonymous email account. I claimed that I'd accidentally typed a number into the URL bar and someone else's complete order information came up. I stated that I had not shared the information with anyone and did not plan to (to cover my ass and make it clear I was not threatening them). I was still worried that they'd send the FBI after me, but I also felt that I had a moral obligation to inform them of the issue before someone else discovered it and stole a bunch of customer information.

  2. close your account with them by Anonymous Coward · · Score: 1, Informative

    Close your account with them. When they ask why. Tell them you assessment of their security procedures are bad and will be easily hacked. DO NOT GO ANY FURTHER THAN THAT. Leave it very vague and hand wavy. Under no circumstances tell them what is wrong. Leave that to someone else like what someone else suggested krebs or cert.

    Nothing will be done by them other than them getting mad at you. End the relationship with them.

    This pretty much is what will happen to you.
    http://www.slideshare.net/Lanc...

    They will follow the 5 stages of grief.

    The fact you trivially hacked them says they are not even aware they have an issue. Which means they will shoot the messenger.

  3. Please be very careful! by mallyn · · Score: 5, Informative
    Folks:

    Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.

    Here is what I would probably do:

    1. Remove all of my own assets from the company/institution.

    2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.

    3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.

    4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.

    5. Shut up and go about your business.

    --
    Most Respectfully Yours Mark Allyn Bellingham, Washington
  4. You done fucked up by ArchieBunker · · Score: 4, Informative

    Every time someone has tried to be the nice guy its backfired. You see something like this? Keep your mouth shut and forget it even happened.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  5. Rookie mistake... by Fallen+Kell · · Score: 4, Informative

    Well as others have already stated, you already made the rookie mistake of trying to report the issue and gave them your name and contact information. Now you are on the record as having breached their "security", even as pathetic as it is. When big money is possibly involved (as it would be in the case that financial information of hundreds/thousands of people are involved), you just became the "scapegoat". They will now use you as "hacking" them to attempt to make claims on their insurance to cover the cost of fixing the problem. That also means they will need to report to law enforcement, etc., to have the case brought forward.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  6. Ass covering, BT Example from UK by Anonymous Coward · · Score: 5, Informative

    In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.

    The man who discovered it was prosecuted for hacking their website:

    http://www.scl.org/site.aspx?i=ed832

    "He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "

    "But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "

  7. Dan Cuthbert, UK by Anonymous Coward · · Score: 2, Informative

    Your thinking of Dan Cuthbert I think. A UK case, he donated money to a charity page then entered a directory traversal. Most likely /.. into the URL.

    http://www.scl.org/site.aspx?i=ed832

    (Slashdot is one dot away from a crime!)

    It was a real face palm moment for the British Justice system that they prosecuted him. In effect they said "a directory traversal would not have been authorized, therefore this is unauthorized use of a computer, hence a crime".

    A law designed pre-internet, yet the RFC for the web permits those URLs and their server provides the RFC interface therefore its for them to handle what data they return on what URLs. In this case they returned a 404 error page or similar. WHICH IS EXACTLY WHAT THEY SHOULD HAVE DONE, as per the spec.

    What point did it become a crime? When Judges the are also pre-internet get involved.

  8. Re:Krebs by pepty · · Score: 5, Informative

    Call the bank and ask for their "agent of service", This is the first step you take when you sue a corporation: find out the lawyer you need to send the paperwork to. Not that you will actually be suing them, but if anyone can light a fire under the bank's IT staff it's their lawyer.

  9. Re:Krebs by Anonymous Coward · · Score: 4, Informative


    I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story.

    Notorious troll Weev" did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.

  10. Re:Notify CTO, CFO & CEO offices by Alan+Shutko · · Score: 4, Informative

    In my Fortune 25 company, we have a department of people devoted to resolving issues of people who contact the CEO, President, or other members of senior staff. This method absolutely will light a fire under the IT staff to fix it. I don't know whether he reads every incoming letter or email, but I do know that each one is handled by the presidential escalation team, and tracked, and reported out regularly.

    We also have a Chief Information Security Officer who will personally latch onto this like a bulldog and ensure that it's fixed. We had a breach a number of years ago and it's still used as a reminder that "That will NOT happen again."

  11. Re:Krebs by Anonymous Coward · · Score: 3, Informative

    Do NOT give them anything in writing that is an admission of "hacking".