Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Posted by samzenpus on from the what-to-do-and-what-not-to-do dept.

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?

9 of 230 comments (clear)

  1. Krebs by kylemonger · · Score: 5, Insightful

    Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

    1. Re:Krebs by camperdave · · Score: 5, Interesting

      Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.

      --
      When our name is on the back of your car, we're behind you all the way!
    2. Re:Krebs by pepty · · Score: 5, Informative

      Call the bank and ask for their "agent of service", This is the first step you take when you sue a corporation: find out the lawyer you need to send the paperwork to. Not that you will actually be suing them, but if anyone can light a fire under the bank's IT staff it's their lawyer.

  2. Post the URL here... by Anonymous Coward · · Score: 5, Funny

    ... That way we can help, too.

    Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?

  3. Buy some suntain lotion by Vinegar+Joe · · Score: 5, Funny

    You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.

    --
    "The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
  4. If you're in the United States, get a lawyer by Anonymous Coward · · Score: 5, Informative

    You called the bank and admitted manipulating the site in order to view other people's private financial information.

    Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).

    Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.

  5. Please be very careful! by mallyn · · Score: 5, Informative
    Folks:

    Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.

    Here is what I would probably do:

    1. Remove all of my own assets from the company/institution.

    2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.

    3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.

    4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.

    5. Shut up and go about your business.

    --
    Most Respectfully Yours Mark Allyn Bellingham, Washington
  6. Get off my lawn by fulldecent · · Score: 5, Interesting

    I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.

    FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... and usually give the vendor a heads up.

    You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.

    --

    -- I was raised on the command line, bitch

  7. Ass covering, BT Example from UK by Anonymous Coward · · Score: 5, Informative

    In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.

    The man who discovered it was prosecuted for hacking their website:

    http://www.scl.org/site.aspx?i=ed832

    "He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "

    "But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "