Slashdot Mirror
How Do You Handle the Discovery of a Web Site Disclosing Private Data?
An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?
Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.
Those people will definitely take your info and get it acted upon.
... That way we can help, too.
Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?
You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
That's the same kind of flub that led, eventually, to weev getting caught.
Now, mind you, weev is a troll, an asshole, and tried to profit off it, so you might be able to get away without CFAA charges if you avoid being a nazi troll and trying to extort 'em for money...but technically, you're already up for "circumventing" a "security control" so you may want to get a lawyer involved - and have your lawyer handle the negotiations with the institution.
You called the bank and admitted manipulating the site in order to view other people's private financial information.
Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).
Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.
Troy Hunt has a great article here on the responsibility of public disclosure:
http://www.troyhunt.com/2013/0...
Too late...our anonymous submitted has already outed himself to the bank, and even if he hadn't, there should be enough of a trail in the server log to find it was him.
This is dead wrong. Bad advice.
"Leaking" in this manner is a federal offense.
The answer is to keep pressing and travel up the chain of command.
Do not embed any compromising links in an email. Do not use email at all. Emails are discoverable in litigation.
Use your own telephone. Do not involve your business.
When you find a person who has a major cow when you tell them what you've found, give an example URL on the phone.
Check the site now and then for compliance, but do it using someone else's junk. It sounds like you know how to do that.
It little behooves the best of us to comment on the rest of us.
I personally have seen all kinds of cases where a disaster is required before anybody decides they want to harden their information security.
That said, you might consider just leaking some of these documents to the open internet by simply pasting the URL to public places. For example, put it on twitter and give it an irrelevant but popular hashtag. Then it hits a major news site, and you know the rest.
The trick is doing it without leaving a trail to yourself, otherwise you'll end up like those guys who found that AT&T link to the iPhone accounts.
you know I think this was weev's approach to the att/ipad info leak, and look where it got him. although it turns out he was a scumbag doxxer, so no tears shed here.
In the meantime, I still have private financial information I consider to be publicly available. [...] So, Slashdot, how would you handle this situation?
I'd certainly start by deleting my info there!
Attention zealots and haters: 00100 00100
Post the URL in a Slashdot article. There's a good chance a technical person in the company will read it. And since the site will be Slashdotted, you're probably not exposing any data. :)
Do not forward or show to anybody but legal.
This are the kind of issues that can get you (and your company) in very nasty legal trouble. Reporting the situation to the legal depart of your company is your only SAFE option. Once you make the report do your best to destroy and sanitize yourself from the data (following company procedures).
And just to be on the safe (semi-paranoid) side, keep a copy of all communication with legal including records of dates, times and name of everybody you talked too on the phone (about the subject).
DO NOT CALL THE BANK. DO NOT DISCLOSE THE INFO TO OTHERS. CALL THE LEGAL DEPARTMENT AND LET THEM DEAL WITH THE SITUATION.
Either the place is incompetent or made a deliberate design decision. Either way, your best move is to simply move on. There's plenty of competition out there.
Do not reveal the information to anyone else, and don't go poking around.
Try mailing security@companydomain.com. Follow-up on Monday by calling the company's headquarters and asking for the CSIO (chief security information officer). If neither of those work, ask to speak to the CIO's or COO's office.
Close your account with them. When they ask why. Tell them you assessment of their security procedures are bad and will be easily hacked. DO NOT GO ANY FURTHER THAN THAT. Leave it very vague and hand wavy. Under no circumstances tell them what is wrong. Leave that to someone else like what someone else suggested krebs or cert.
Nothing will be done by them other than them getting mad at you. End the relationship with them.
This pretty much is what will happen to you.
http://www.slideshare.net/Lanc...
They will follow the 5 stages of grief.
The fact you trivially hacked them says they are not even aware they have an issue. Which means they will shoot the messenger.
The folks that discovered the AT&T flaw downloaded information on something like 40,000 people and forwarded it to a journalist. Calling the institution itself after a spot check is pretty tame and seems well intentioned on its face compared to the AT&T situation.
Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.
Here is what I would probably do:
1. Remove all of my own assets from the company/institution.
2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.
3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.
4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.
5. Shut up and go about your business.
Most Respectfully Yours Mark Allyn Bellingham, Washington
Talk to, call, or send an email to your boss If he's not an idiot things will end soon. If that doesn't work. If' you have a contract. read it carefully, find the exit clause and use it.
Every time someone has tried to be the nice guy its backfired. You see something like this? Keep your mouth shut and forget it even happened.
Only the State obtains its revenue by coercion. - Murray Rothbard
I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.
FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.
You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.
-- I was raised on the command line, bitch
If you really want to do it yourself, plug the domain name in here (just the domain name, no "www." prefix) http://www.networksolutions.com/whois/index.jsp and send an email to the Tech and Administrative email contacts. Include the webmaster@ , security@ , abuse@ and postmaster@ addresses. If they have an Investor Relations contact email address or form, use it. The IR mailbox is watched very closely in all companies and is a better contact than trying to guess the CEO's email address. I have never had a note to the IR contact go unanswered for any problem.
But use TOR to do it or go the Brian Krebs route. For the last incident response exercise I wrote for the bank where I work, the last paragraph was "The phone rings. It is a security blogger named Brian Krebs. He has found our information on a server in a foreign country."
What was the most common question about the scenario from bank senior managers? "Who does this Brian Krebs think he is anyway?" Your worst nightmare, oh corporate one.
It is a security hole and all the dire warnings by others are true. Most of these companies are run by people with no IT or computer expertise. The top man is going to haul the IT dept on the carpet and demand an explanation. You think the IT chief is going to admit that he/she was running a moronic system? No, she/he is going to shift blame and find some convenient scape goat. Given the top honchos don't know much about anything other than their bonus calculation, IT chief is going to claim, "It is a hack! That guys hacked into my super secure site". Then the PHBs running the company would call in the lawyers and make a mess out of the situation.
One thing the anonymous guy can do is to call the company that issued the mail-in-rebate and tell them, the outfit they had out sourced their rebate processing has holes in the system. Now it is the very big company that issued the rebate coupons run by PHBs fighting a smaller company that got the rebate processing contract run by PHBs. And quietly withdraw without drawing too much attention.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Go directly to your FSA (or FBI) field office. This shit has the potential to cost MILLIONS if not dealt with IMMEDIATELY, and you could be implicated having knowledge of such vulnerability and not reported it to competent authorities.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Accept this, as you have uncovered something they didn't know and can potentially damage them.
I did this with a government tax office and tried to alert them by calling the very number they advertised to handle this sort of issue. The response went like this:
The problem is, you want to help them and all they can see is 'random person the phone saying we have a problem' so it is easier to solve you. If the company is responsible enough to have a CERT team and a reporting mechanism you may stand a chance but it is more likely you will draw their ire because you can hurt the companies reputation.
If you can't change institutions then you should consider establishing what their data privacy policies are, hire a lawyer and then frame legal action to protect your own data whilst seeking damages to the value of your life earnings for exposing you to identity theft and fraud. You should be pissed off.
They won' t play nice so neither should you. Seek legal advice about the possibility for damages because you have been exposed to fraud. Leave it to them to discover the mechanism, because if they are that bad there are probably more.
My ism, it's full of beliefs.
You call and report this vulnerability. You think you are a hero. But look at it from their point of view.
First they verify the problem, and its true. Now they know at least ONE person, you, knows about it. Do you think ..."
they are going to tell you "we been aware of it for three years, but no one knew..." or maybe "... we followed up on
what you said, but it will be several weeks before we can fix it
Responding to you might lead more hacks. Consider you *already* reported it to Slashdot. If I was them I would
work quietly on this and never respond to you. For all they know, you are ISIS.
Well as others have already stated, you already made the rookie mistake of trying to report the issue and gave them your name and contact information. Now you are on the record as having breached their "security", even as pathetic as it is. When big money is possibly involved (as it would be in the case that financial information of hundreds/thousands of people are involved), you just became the "scapegoat". They will now use you as "hacking" them to attempt to make claims on their insurance to cover the cost of fixing the problem. That also means they will need to report to law enforcement, etc., to have the case brought forward.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.
The man who discovered it was prosecuted for hacking their website:
http://www.scl.org/site.aspx?i=ed832
"He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "
"But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "
DO NOT DISCLOSE THE INFORMATION TO ANYONE ELSE!!!! I can't state that enough. Also, DO NOT ACCESS IT EVER AGAIN!!!!!! I also can't state that enough either. Any subsequent accesses/"breach" of their security will be blamed on you, and used as evidence that you sent others the information, since you were the only one who knew. Anything anyone else does will be painted as you working in conjunction with a "group of hackers" in an attempt to defraud others, or even possibly extort the company in some way. Any continued access attempts on your part will be used to show that it wasn't a onetime mistake that let you uncover the issue, and that you continued to "hack" the site over a period of time.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Your thinking of Dan Cuthbert I think. A UK case, he donated money to a charity page then entered a directory traversal. Most likely /.. into the URL.
http://www.scl.org/site.aspx?i=ed832
(Slashdot is one dot away from a crime!)
It was a real face palm moment for the British Justice system that they prosecuted him. In effect they said "a directory traversal would not have been authorized, therefore this is unauthorized use of a computer, hence a crime".
A law designed pre-internet, yet the RFC for the web permits those URLs and their server provides the RFC interface therefore its for them to handle what data they return on what URLs. In this case they returned a 404 error page or similar. WHICH IS EXACTLY WHAT THEY SHOULD HAVE DONE, as per the spec.
What point did it become a crime? When Judges the are also pre-internet get involved.
Agree. The AT&T mob were not hammered in court for finding a flaw, they were hammered because they attempted to use the flaw to extort money.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Give them, maybe, one day to respond to your complaint. If they do not respond to your satisfaction, close your account and go elsewhere. It's your money. If they won't take good care of it, someone else will.
linquendum tondere
That's a confidential web forum that handles cases like this. Just provide the sensitive details and they'll take care of it from there. It's @ 4chan.org.
1. Send it to wikileaks.
2. Send anon email to company saying the information has been posted tow wikileaks.
3. Watch them have massive coronaries.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Send a postal letter to the CEO of the financial institution. Explain the problem. Give the institution a deadline for action. Since I found no actual disclosure of information in my case, I gave the institution a month. In your case, a week should be the maximum.
If you do not hear back in a week, send a postal letter to the government agency that supervises the institution (e.g., SEC, Controller of the Currency, FDIC). Send a copy to the federal Consumer Financial Protection Bureau. Postal addresses are available online for such agencies.
It helps if the institution's privacy policy indicates such disclosures are not permitted. In that case, insist that the government agency enforce the institution's privacy policy.
You don't want to end up like Weev, even though they did eventually let him out of jail. And you're apparently not somebody who's got the kind of personality he has, which, while it may make you less likely to end up in jail, isn't necessarily going to get you off the hook either.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I would e-mail, not telephone. Phone calls are too short and simplified.
Before you hit Send, trace through an exact example and describe every step in the e-mail message. I expect that the Customer Service Representative won't understand it. But with an e-mail he can forward it to somebody who will understand the security flaw.
That's what I would do.
use at least 14 proxies and post the details all over 4chan. the ensuing shitstorm will get the problem fixed PDQ.
Snowden and Manning are heroes.
There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.
(IANAL)
He apparently leaked information about 140,000 accounts. His sentence was vacated and conviction reversed on appeal because the appeals judge felt he should have been tried in his home state.
It's too bad this judge was not available for the "Amateur Action" computer porn case in 1996 (http://fac-staff.seattleu.edu/mchon/web/Cases/thomas.html).
Just name them anonymously, this is the only way executives move, bad press. Example, that time A UPS driver threw a TV over a fence. They guy had a video. At first they refused to pay to replace it, so he posted it to youtube and sent a copy to the 10 o'clock news. They paid up pretty fast. Their are tons of examples like this. You might think you are protecting people by hiding the bug, but you are not.
and contact the persons whose privacy was violated in the documents. You probably can not sue, they can.
Make sure to contact a lawyer first.
I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me.
Presumably, then, your data is viewable to others. First thing I'd do is demand that my data gets removed until the problem is fixed. Then I'd tell everyone who needs to know that I won't be uploading any more documents to this other website until someone else tells me I must, thereby taking responsibility for me doing so.
Mind you, I'm in the fortunate position of having directors who take me seriously when I tell them things like that.
systemd is Roko's Basilisk.
I would try to determine Step 2:
1. Discover a web site disclosing private data.
2. ???
3. PROFIT!
Don't fornicate. Seriously, just don't do it.
Threaten to sue them and if they fail to act post details of the vulnerability. What's the name of this 'partner web site' again?
Email the CEO, keep the body of the email short and simple enough for an IT illiterate to undestand the problem. Don't worry him/her about the consequences of the problem. Be sure to use a click bait subject line (they're probably very busy) e.g. Your account details for account [their bank account number] are attached. Don't forget to attach their bank account details
Oh - and don't do any of this from your computer - or via your internet connection. And don't expect credit, just that the problem will be rapidly fixed - which is what you want, right?
Because the CFAA is being abused in this realm, major nations need to pass responsible disclosure laws that protect people who report security flaws so long as they follow proper procedure.
Report the vulnerability to CERT.
https://forms.cert.org/VulRepo...
http://www.cert.org/vulnerabil...?
but that's putting you in bed with the weasels.
take some IT guys out for lunch with their laptop, show them how to lose their appetite. on a company computer.
things will happen at a good rate of speed.
if yoiu happen to have one of the security guys along, that will seal it quickly.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Immediately move my accounts to another financial institution. Not only have they not dealt with the security threat, they have no procedure in place to immediately escalate security threats.
As other replies have said, you are probably better off getting a lawyer BEFORE you go to the bank or anyone else.
Why?
1) If they've already discovered this themselves they may be working with the FBI and there may be a subpoena in your ISP's hands within minutes of you making your discovery.
2) Even if there isn't, the veiled threat of prosecution can be very intimidating.
3) By having your attorney speak to the bank and/or the government/police authorities for you BEFORE the police contact you, it will be abundantly clear to the police that you are just a good citizen and that it would be a political mess if they threatened to press charges or ignore the problem.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
... contact DHS and tell them you were at the library and you saw a guy with a scimitar and a Koran downloading private banking information. It will still likely be months before anything changes, but at least you'll know enough bankers are getting adequately inconvenienced in the affair.
I think that was covered in web programming 101 URL redirects/Directory transversal.
I am Bennett Haselton! I am Bennett Haselton!
You should have immediately contacted the FCC and FTC and Better Business Bureau!
I know others have said it, but, here is a link: https://www.ic3.gov/default.as... Going to law enforcement with the issue, should be a decent shield from prosecution. IANAL, so take this with a big grain of salt. So, maybe talk to a lawyer and ask them to file the complaint.
Letting Krebs know is a good idea... but email support at the bank, or even send the bank snail mail, with the info. Send it with delivery confirmation. And, at the bottom, add
cc: SEC
so they know you're serious. And really and truly, contact the SEC, which regulates banks, and esp. with all the bank problems lately, I'll wager they're really, really interested in this.
Oh, call them back, and ask for "their legal service address". That will get someone attention, for real.
Last option: get a lawyer to write a lawyer letter to the bank. This will also get their attention.
mark
You suspect that a bank leaves the door to their building containing their customers money unlocked. Do you a) check to see if the door is open b) tell the bank it might be unlocked c) call the police? All of the above a) because the door doesn't say keep out anywhere b) because your money is in there c) because the banks negligence can and will cost you your money.