Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Posted by samzenpus on from the what-to-do-and-what-not-to-do dept.

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

4 of 230 comments (clear)

  1. Krebs by kylemonger · · Score: 5, Insightful

    Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

  2. Re:Buy some suntain lotion by pollarda · · Score: 4, Insightful

    Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.

  3. Re:Buy some suntain lotion by borcharc · · Score: 4, Insightful

    This shouldn't be modded funny, its the most likely outcome. You really should start thinking of protecting yourself now that you have made yourself a target.

  4. Better avenues that public disclosure by matthewv789 · · Score: 4, Insightful

    There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.

    1. 1. Try to notify technical contacts, who can most efficiently and cheaply understand and fix the problem, with the least embarrassment or hassle.
    2. 2. Notify the legal department, outside counsel, accountants or auditors. They are responsible for dealing with risks to the company, and to certifying proper controls over financial or customer information.
    3. 3. Try to notify executive management directly.
    4. 4. Contact government and other regulatory or certifying bodies, such as PCI (for anyone handling credit cards), SEC (for public companies), FTC, Better Business Bureau, Chamber of Commerce, etc.
    5. 5. Report it to CERT.
    6. 6. If you're a customer, (politely) threaten to take your business elsewhere (or actually do it), or have your attorney send them a letter threatening to sue for putting your information or money at risk. You could threaten to make it a class action too. (Note that you'd need to be an affected customer to have standing to sue.)
    7. 7. Any public disclosure you may be tempted to make, go through a news organization, who will verify the information, contact the company for comment, and weigh the ethical pros and cons of how to tell the story effectively without revealing so much information as to do harm. Some "on your side" segments on local TV news might work well for this.
    8. 8. If you want to publish or comment publicly yourself, consult your attorney, and limit yourself to saying that there is a vulnerability, but not any details about it. But you can particularly publicize the company's (non-)response to it.
    9. 9. If you can document that someone else is already exploiting the flaw, you could report on the exploitation that's occurring, without being the one to expose the vulnerability.
    10. 10. And of course once the flaw is fixed, you could discuss it more widely as well.

    (IANAL)