Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Posted by samzenpus on from the what-to-do-and-what-not-to-do dept.

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

32 of 230 comments (clear)

  1. Krebs by kylemonger · · Score: 5, Insightful

    Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

    1. Re:Krebs by MrBigInThePants · · Score: 3, Funny

      Absolutely. Tell lots of high profile people who loose lips. Hey, tell your favorite prostitute while you are at it!

      Blab about it on the internet on a very popular website also. That will increase your chances of being personally identified before you notify the appropriate people and ensure that the preemptive action they will take against you will not work. Alternatively they can also use that against you after the fact instead/as well.

      I would also suggest as "icing on the cake" to paint red circles of decreasing size around you anus to make targeting easier.

      Alternatively you could ignore the truly SHITTY advice here on slashdot and be discrete and anonymous.

    2. Re:Krebs by Jane+Q.+Public · · Score: 4, Interesting

      Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

      Don't be so sure.

      I had a similar problem with a bank back in 2000-2001. I called their customer service dept. and they put me in contact with the IT dept. I explained that their web banking portal was spewing private information all over the place. (I was quite alarmed, since I had noticed this when doing my own online banking.) They said they'd see to it right away.

      A couple of weeks go by, it's still the same. Now, mind you, this was a MAJOR leak to anybody who knew about it. Arguably worse than OP's problem. So I called them again. I was assured that they were right on top of it.

      After about another month went by, I went into the main branch of the bank, and SHOWED this to one of the managers. He seemed quite concerned. Another couple of months go by... nothing.

      I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story. (Turned out later, they were best buds with this particular bank.)

      Anyway, long story short: they did nothing. It took them a full year and a half to fix the problem. If I had been an unethical person, I could have emptied out the accounts of MANY people over that time.

    3. Re:Krebs by camperdave · · Score: 5, Interesting

      Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.

      --
      When our name is on the back of your car, we're behind you all the way!
    4. Re:Krebs by pepty · · Score: 5, Informative

      Call the bank and ask for their "agent of service", This is the first step you take when you sue a corporation: find out the lawyer you need to send the paperwork to. Not that you will actually be suing them, but if anyone can light a fire under the bank's IT staff it's their lawyer.

    5. Re:Krebs by plover · · Score: 3, Insightful

      Nobody took computer security seriously back in 2001. Things have changed a lot since then. For example, if you were to contact that same bank with the same information today, they would likely know better and would now contact the FBI and have you arrested on charges of violating the Computer Fraud and Abuse Act.

      Actually, contacting the FBI might not be a bad choice for the story submitter. They would probably be very interested in working with that bank to shut this problem down quickly.

      --
      John
    6. Re:Krebs by Anonymous Coward · · Score: 4, Informative


      I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story.

      Notorious troll Weev" did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.

    7. Re:Krebs by ArcadeMan · · Score: 4, Funny

      I agree. A friendly game of baseball is the perfect opportunity to discuss security issues with them.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    8. Re: Krebs by devilspgd · · Score: 3, Insightful

      Or just walk away.

      While true, this solution doesn't allow one to protect their own data which is also exposed.

      --
      Give a man a fish, he'll eat for a day, but teach a man to phish...
    9. Re:Krebs by Anonymous Coward · · Score: 3, Informative

      Do NOT give them anything in writing that is an admission of "hacking".

    10. Re:Krebs by AchilleTalon · · Score: 3, Interesting

      Having written the on-line banking communication protocol of a bank back in 1995 I can assure you they were not taking security seriously. I explicitly asked about requirements for encryption and they had none. They didn't want to bother with encryption because the infrastructure was running on dialup lines connected directly to their infrastructure and they wanted to be the first bank to make on-line banking available to its customers. At this time, the internet was in its infancy, hence the choice for the dialup infrastructure, and everyone was subscribing dialup lines for the Internet access DSL and cable-modem was still waiting to be invented. It was even Windows 3 and OS/2.

      --
      Achille Talon
      Hop!
    11. Re:Krebs by cusco · · Score: 3, Interesting

      In the last '90s I worked as System Operator for a company which sent several thousand automated account renewals to credit card companies each month. We had been sending 9-track tapes via Fed Ex, and I was tasked with converting all these to digital transfers. We ended up with a mish-mash of different methods, dialup modem, encrypted email attachments, etc. but American Express had a rather unique approach.

      They had us FTP an unencrypted, unzipped text file to a folder with our account number on their ftp site. Logged in as anonymous. With full access to all the other folders showing all their other customers' data transfers. They didn't clean up the folders either, so some of the other customers had a year's-worth of data transfers piled up. We couldn't believe it.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  2. Notify CTO, CFO & CEO offices by BoRegardless · · Score: 4, Funny

    Those people will definitely take your info and get it acted upon.

    1. Re:Notify CTO, CFO & CEO offices by AK+Marc · · Score: 4, Interesting

      I worked for a 10,000+ person company, the CEO read the emails identified by his secretary as important. I worked for a 200+ person tech company where the CTO read some of the emails the secretary printed out for him. He didn't have a computer (not in the office, and not at home). If he sent an email, he dictated it to his secretary, and she would then send it for him.

      For a 5-man company, you may find CEOs read their own emails. For larger than that, the CEOs don't read emails. The few I know that did, used their personal email for business, and the business email was essentially forwarded to the info@ email box.

      I've found that snail mail got insanely quick response. It would get to the CEO and be read. Only obvious advertisements would be withheld by helpers, and even then not aggressively so.

      --
      Learn to love Alaska
    2. Re:Notify CTO, CFO & CEO offices by pepty · · Score: 3, Insightful

      In my experience, it won't.

      I reported to a small non-profit that their list of email addresses had leaked. I knew this because I used a unique address when registering with the site and I later started getting SPAM at that address.

      Most likely, the non-profit sold your email address (along with the rest of their list), leading to embarrassment all around when you contacted them about the spam.

    3. Re:Notify CTO, CFO & CEO offices by Alan+Shutko · · Score: 4, Informative

      In my Fortune 25 company, we have a department of people devoted to resolving issues of people who contact the CEO, President, or other members of senior staff. This method absolutely will light a fire under the IT staff to fix it. I don't know whether he reads every incoming letter or email, but I do know that each one is handled by the presidential escalation team, and tracked, and reported out regularly.

      We also have a Chief Information Security Officer who will personally latch onto this like a bulldog and ensure that it's fixed. We had a breach a number of years ago and it's still used as a reminder that "That will NOT happen again."

  3. Post the URL here... by Anonymous Coward · · Score: 5, Funny

    ... That way we can help, too.

    Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?

    1. Re:Post the URL here... by mallyn · · Score: 3, Funny

      My mother's maiden name is Judy Garland and my high school is The Emerald City High School.

      --
      Most Respectfully Yours Mark Allyn Bellingham, Washington
  4. Buy some suntain lotion by Vinegar+Joe · · Score: 5, Funny

    You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.

    --
    "The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
    1. Re:Buy some suntain lotion by pollarda · · Score: 4, Insightful

      Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.

    2. Re:Buy some suntain lotion by borcharc · · Score: 4, Insightful

      This shouldn't be modded funny, its the most likely outcome. You really should start thinking of protecting yourself now that you have made yourself a target.

  5. If you're in the United States, get a lawyer by Anonymous Coward · · Score: 5, Informative

    You called the bank and admitted manipulating the site in order to view other people's private financial information.

    Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).

    Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.

    1. Re:If you're in the United States, get a lawyer by Anonymous Coward · · Score: 4, Interesting

      Personally if it were me, I agree with the statement get a lawyer, but for different reasons. I'd immediately sue them. In a court of law you've now put them on the defensive. If they try to take legal action against you, you have that you discovered a flaw in their system, and immediately held them responsible. If they try to claim you were doing anything malicious, then they have to admit wrong doing and plead guilty to your lawsuit. And in your defense case, then it looks like you happened to find the flaw, was furious and took legal recourse against them.

      It may not make technical logic, but as far as I can tell in the legal world, putting them on the defensive as soon as possible is the best move you can do.

    2. Re:If you're in the United States, get a lawyer by bigtrike · · Score: 3, Informative

      The one time I ran into this, I informed the company from an anonymous email account. I claimed that I'd accidentally typed a number into the URL bar and someone else's complete order information came up. I stated that I had not shared the information with anyone and did not plan to (to cover my ass and make it clear I was not threatening them). I was still worried that they'd send the FBI after me, but I also felt that I had a moral obligation to inform them of the issue before someone else discovered it and stole a bunch of customer information.

  6. Time to sever the financial relationship by Tillman · · Score: 3, Insightful

    Either the place is incompetent or made a deliberate design decision. Either way, your best move is to simply move on. There's plenty of competition out there.

    Do not reveal the information to anyone else, and don't go poking around.

  7. Please be very careful! by mallyn · · Score: 5, Informative
    Folks:

    Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.

    Here is what I would probably do:

    1. Remove all of my own assets from the company/institution.

    2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.

    3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.

    4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.

    5. Shut up and go about your business.

    --
    Most Respectfully Yours Mark Allyn Bellingham, Washington
  8. You done fucked up by ArchieBunker · · Score: 4, Informative

    Every time someone has tried to be the nice guy its backfired. You see something like this? Keep your mouth shut and forget it even happened.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  9. Get off my lawn by fulldecent · · Score: 5, Interesting

    I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.

    FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.

    You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.

    --

    -- I was raised on the command line, bitch

  10. Rookie mistake... by Fallen+Kell · · Score: 4, Informative

    Well as others have already stated, you already made the rookie mistake of trying to report the issue and gave them your name and contact information. Now you are on the record as having breached their "security", even as pathetic as it is. When big money is possibly involved (as it would be in the case that financial information of hundreds/thousands of people are involved), you just became the "scapegoat". They will now use you as "hacking" them to attempt to make claims on their insurance to cover the cost of fixing the problem. That also means they will need to report to law enforcement, etc., to have the case brought forward.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  11. Ass covering, BT Example from UK by Anonymous Coward · · Score: 5, Informative

    In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.

    The man who discovered it was prosecuted for hacking their website:

    http://www.scl.org/site.aspx?i=ed832

    "He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "

    "But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "

  12. Re:Rookie mistake... Also... by Fallen+Kell · · Score: 3, Insightful

    DO NOT DISCLOSE THE INFORMATION TO ANYONE ELSE!!!! I can't state that enough. Also, DO NOT ACCESS IT EVER AGAIN!!!!!! I also can't state that enough either. Any subsequent accesses/"breach" of their security will be blamed on you, and used as evidence that you sent others the information, since you were the only one who knew. Anything anyone else does will be painted as you working in conjunction with a "group of hackers" in an attempt to defraud others, or even possibly extort the company in some way. Any continued access attempts on your part will be used to show that it wasn't a onetime mistake that let you uncover the issue, and that you continued to "hack" the site over a period of time.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  13. Better avenues that public disclosure by matthewv789 · · Score: 4, Insightful

    There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.

    1. 1. Try to notify technical contacts, who can most efficiently and cheaply understand and fix the problem, with the least embarrassment or hassle.
    2. 2. Notify the legal department, outside counsel, accountants or auditors. They are responsible for dealing with risks to the company, and to certifying proper controls over financial or customer information.
    3. 3. Try to notify executive management directly.
    4. 4. Contact government and other regulatory or certifying bodies, such as PCI (for anyone handling credit cards), SEC (for public companies), FTC, Better Business Bureau, Chamber of Commerce, etc.
    5. 5. Report it to CERT.
    6. 6. If you're a customer, (politely) threaten to take your business elsewhere (or actually do it), or have your attorney send them a letter threatening to sue for putting your information or money at risk. You could threaten to make it a class action too. (Note that you'd need to be an affected customer to have standing to sue.)
    7. 7. Any public disclosure you may be tempted to make, go through a news organization, who will verify the information, contact the company for comment, and weigh the ethical pros and cons of how to tell the story effectively without revealing so much information as to do harm. Some "on your side" segments on local TV news might work well for this.
    8. 8. If you want to publish or comment publicly yourself, consult your attorney, and limit yourself to saying that there is a vulnerability, but not any details about it. But you can particularly publicize the company's (non-)response to it.
    9. 9. If you can document that someone else is already exploiting the flaw, you could report on the exploitation that's occurring, without being the one to expose the vulnerability.
    10. 10. And of course once the flaw is fixed, you could discuss it more widely as well.

    (IANAL)