Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

ethics regarding discovering vulnerability in competitor web application

Options
  • 04-03-2015 4:10pm
    #1
    Raging_Ninja
    Registered Users Posts: 1,717 ✭✭✭


    I'm transferring a new customer's data from a competitors product to our own priduct.

    I've recently (today) discovered a potential vulnerability in the competitors web application.

    If I know the name of the file I want, I can download it without authentication. In other words the files are all publicly accessible - all I have to do is append the filename to a URL, just like how assets like CSS and javascript are delivered.

    As the saying goes, security through obscurity isn't security at all.

    Should I tell the competitor?


Comments

  • Options
    #2
    hooplah
    Registered Users Posts: 570 ✭✭✭hooplah


    You could write it up, tell the competitor and then after a set period of time publish the write up as a blogpost.

    Not telling them can potentially damage them and their clients, which isn't something you want to do.


  • Options
    #3
    Oink
    Moderators, Music Moderators Posts: 2,151 Mod ✭✭✭✭Oink


    You've taken their client. You won. I know they're competition but surely you're not interested in seeing all these people (clients included) fall on their faces if it's not strictly necessary?

    I like what the previous poster said.


  • Options
    #4
    OwenM
    Registered Users Posts: 859 ✭✭✭OwenM


    I discovered a similar hole in the website of a major Irish company about 15 months ago.

    My options, as I saw them then:

    1. Demand a reward in return for the vulnerability, or I go to the press and the data protection commissioner.
    2. Tell them and ask for a reward.

    The first option might have gotten their backs up and they might have gone legal, claiming extortion and I could have ended up being questioned by the police or defending a civil circuit / high court action. I am not a pen tester looking to build a reputation and the publicity could have been very negative for me, plus a relative was working for them in a fairly senior position and LinkedIn would have revealed this quite quickly. I ended up going for the second option and they did give me a nice piece of electronics along with their genuine thanks from the senior management team.

    A third option I didn't know about at the time was the existence of third party 'exploit brokers' who make the approach for you and demand a price for revealing the flaw - this would have shielded me from the publicity and I would be sorely tempted if put back in that position again. €10k would not have been unreasonable considering they would have probably paid more than this to a PR firm for damage limitation, let alone the lost business and damage to the brand.

    I was not working for a competitor so I didn't have that ethical consideration.

    Karma exists - I now work for them indirectly as a contractor sitting on one of their offices every day - they are unaware I am 'that guy' though but imagine if I had gone for the first option.


  • Options
    #5
    Trojan
    Registered Users Posts: 16,402 ✭✭✭✭Trojan


    Flip it... if you were on the other side of the table what approach would you want someone to take?

    🎙️ The Recognized Authority Podcast



  • Options
    #6
    Raging_Ninja
    Registered Users Posts: 1,717 ✭✭✭Raging_Ninja


    One of the things is that these guys have a not very good customer relations rep, and I'm not sure how they would react.

    I've considered going to the data protection commissioner, going to think a bit more.


  • Advertisement
  • Options
    #7
    Synode
    Closed Accounts Posts: 7,967 ✭✭✭Synode


    An exploit broker sounds like a great idea


  • Options
    #8
    Oink
    Moderators, Music Moderators Posts: 2,151 Mod ✭✭✭✭Oink


    Synode wrote: »
    An exploit broker sounds like a great idea

    Sounds more like a blackmail negotiator to me. If you have to spend days explaining it I could understand the need for compensation. If it's just a conversation I would take 10 min to honour the "Don't be a D1ck" principle.


  • Options
    #9
    bpmurray
    Registered Users Posts: 1,275 ✭✭✭bpmurray


    Of course you should tell them: why are you waiting? If their customer relations rep is a dick and acts like it, tell him thanks and that you'l be making it public immediately.


  • Options
    #10
    Synode
    Closed Accounts Posts: 7,967 ✭✭✭Synode


    Oink wrote: »
    Sounds more like a blackmail negotiator to me. If you have to spend days explaining it I could understand the need for compensation. If it's just a conversation I would take 10 min to honour the "Don't be a D1ck" principle.

    True. However, if it's a big organisation that would gladly pay for this information, you'd be a fool to give it to them for free


  • Options
    #11
    Raging_Ninja
    Registered Users Posts: 1,717 ✭✭✭Raging_Ninja


    Well I told the customer, let them figure out what to do.


  • Advertisement
Advertisement