Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Posted by samzenpus on from the what-to-do-and-what-not-to-do dept.

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

4 of 230 comments (clear)

  1. If you're in the United States, get a lawyer by Anonymous Coward · · Score: 5, Informative

    You called the bank and admitted manipulating the site in order to view other people's private financial information.

    Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).

    Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.

  2. Please be very careful! by mallyn · · Score: 5, Informative
    Folks:

    Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.

    Here is what I would probably do:

    1. Remove all of my own assets from the company/institution.

    2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.

    3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.

    4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.

    5. Shut up and go about your business.

    --
    Most Respectfully Yours Mark Allyn Bellingham, Washington
  3. Ass covering, BT Example from UK by Anonymous Coward · · Score: 5, Informative

    In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.

    The man who discovered it was prosecuted for hacking their website:

    http://www.scl.org/site.aspx?i=ed832

    "He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "

    "But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "

  4. Re:Krebs by pepty · · Score: 5, Informative

    Call the bank and ask for their "agent of service", This is the first step you take when you sue a corporation: find out the lawyer you need to send the paperwork to. Not that you will actually be suing them, but if anyone can light a fire under the bank's IT staff it's their lawyer.