Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Posted by samzenpus on from the what-to-do-and-what-not-to-do dept.

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

11 of 230 comments (clear)

  1. Krebs by kylemonger · · Score: 5, Insightful

    Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

    1. Re:Krebs by plover · · Score: 3, Insightful

      Nobody took computer security seriously back in 2001. Things have changed a lot since then. For example, if you were to contact that same bank with the same information today, they would likely know better and would now contact the FBI and have you arrested on charges of violating the Computer Fraud and Abuse Act.

      Actually, contacting the FBI might not be a bad choice for the story submitter. They would probably be very interested in working with that bank to shut this problem down quickly.

      --
      John
    2. Re: Krebs by devilspgd · · Score: 3, Insightful

      Or just walk away.

      While true, this solution doesn't allow one to protect their own data which is also exposed.

      --
      Give a man a fish, he'll eat for a day, but teach a man to phish...
  2. Re:It takes a scandal to fix this kind of thing IM by Anonymous Coward · · Score: 2, Insightful

    Too late...our anonymous submitted has already outed himself to the bank, and even if he hadn't, there should be enough of a trail in the server log to find it was him.

  3. Re:Buy some suntain lotion by pollarda · · Score: 4, Insightful

    Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.

  4. Time to sever the financial relationship by Tillman · · Score: 3, Insightful

    Either the place is incompetent or made a deliberate design decision. Either way, your best move is to simply move on. There's plenty of competition out there.

    Do not reveal the information to anyone else, and don't go poking around.

  5. Re:Buy some suntain lotion by borcharc · · Score: 4, Insightful

    This shouldn't be modded funny, its the most likely outcome. You really should start thinking of protecting yourself now that you have made yourself a target.

  6. Re:Buy some suntain lotion by bloodhawk · · Score: 1, Insightful

    reporting vulnerabilities doesn't get you put in Jail, however manipulating sites without permission to look for them does. incidently the guy you linked did a lot more than "just" tell then just discover and tell them of a vulnerability, he exploited it and extracted a ton of information from their systems.

  7. Re:Rookie mistake... Also... by Fallen+Kell · · Score: 3, Insightful

    DO NOT DISCLOSE THE INFORMATION TO ANYONE ELSE!!!! I can't state that enough. Also, DO NOT ACCESS IT EVER AGAIN!!!!!! I also can't state that enough either. Any subsequent accesses/"breach" of their security will be blamed on you, and used as evidence that you sent others the information, since you were the only one who knew. Anything anyone else does will be painted as you working in conjunction with a "group of hackers" in an attempt to defraud others, or even possibly extort the company in some way. Any continued access attempts on your part will be used to show that it wasn't a onetime mistake that let you uncover the issue, and that you continued to "hack" the site over a period of time.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  8. Re:Notify CTO, CFO & CEO offices by pepty · · Score: 3, Insightful

    In my experience, it won't.

    I reported to a small non-profit that their list of email addresses had leaked. I knew this because I used a unique address when registering with the site and I later started getting SPAM at that address.

    Most likely, the non-profit sold your email address (along with the rest of their list), leading to embarrassment all around when you contacted them about the spam.

  9. Better avenues that public disclosure by matthewv789 · · Score: 4, Insightful

    There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.

    1. 1. Try to notify technical contacts, who can most efficiently and cheaply understand and fix the problem, with the least embarrassment or hassle.
    2. 2. Notify the legal department, outside counsel, accountants or auditors. They are responsible for dealing with risks to the company, and to certifying proper controls over financial or customer information.
    3. 3. Try to notify executive management directly.
    4. 4. Contact government and other regulatory or certifying bodies, such as PCI (for anyone handling credit cards), SEC (for public companies), FTC, Better Business Bureau, Chamber of Commerce, etc.
    5. 5. Report it to CERT.
    6. 6. If you're a customer, (politely) threaten to take your business elsewhere (or actually do it), or have your attorney send them a letter threatening to sue for putting your information or money at risk. You could threaten to make it a class action too. (Note that you'd need to be an affected customer to have standing to sue.)
    7. 7. Any public disclosure you may be tempted to make, go through a news organization, who will verify the information, contact the company for comment, and weigh the ethical pros and cons of how to tell the story effectively without revealing so much information as to do harm. Some "on your side" segments on local TV news might work well for this.
    8. 8. If you want to publish or comment publicly yourself, consult your attorney, and limit yourself to saying that there is a vulnerability, but not any details about it. But you can particularly publicize the company's (non-)response to it.
    9. 9. If you can document that someone else is already exploiting the flaw, you could report on the exploitation that's occurring, without being the one to expose the vulnerability.
    10. 10. And of course once the flaw is fixed, you could discuss it more widely as well.

    (IANAL)