Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Should I report a web vulnerabilities to the company?

  • 03-11-2012 4:05am
    #1
    Registered Users, Registered Users 2 Posts: 8


    I have managed to successfully SQL Inject a website, the databases contained sensitive information about the owners and their customers and plain text passwords and usernames for connecting to their sub sites was also retrieved.

    Should i report it to them?
    will I get in trouble?:confused:

    Big Breach
    Tagged:


Comments

  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    if you are concerned about getting into trouble find a way to notify them anonymously but definitely you should notify them. They might not deserve the attention having a "leaky" website but their customers havent done anything wrong.

    As for getting in to trouble, I would guess that depends on the company. Some will think "great ,we've been warned by someone responsible" others will this "we've been hacked! make them pay so no-one does it again".

    As long as you did not retain or distribute any copies of any data you found as a result of the successful sql injection you have a chance at playing the gray hat "I'm just trying to help" card.


  • Closed Accounts Posts: 407 ✭✭LLU


    Personally I'd be nervous about getting into trouble. Maybe I'm just cynical but do be aware that this could be embarassing to them and rather than being grateful they could do anything from shutting you up to using you as the scapegoat for their cock ups. Especially given that you did SQL injection and got sight of sensitive data, even though it was well intentioned.

    Also I would report them to the data commissioners - www.dataprotection.ie . And keep myself anonymous there also.


  • Registered Users, Registered Users 2 Posts: 8 VHS80s


    I've emailed them semi anonymous... now wait the response!!


  • Registered Users, Registered Users 2 Posts: 6,889 ✭✭✭tolosenc


    Yeah, have had friends who've been emailed back by legal departments about not having permission to hack their system, I'd deffo tell them, but be as anonymous as possible.

    SQL injection is horrendously amateur, though.


  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    Have a poke through the company employees on linkedin. You'll probably find a more appropriate person to contact than a generic abuse@ address. Probably best to do it anon too.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 8 VHS80s


    Gavin wrote: »
    Have a poke through the company employees on linkedin. You'll probably find a more appropriate person to contact than a generic abuse@ address. Probably best to do it anon too.

    The company is not listed on linkedin and have not received a email from them this is the 3rd day!
    I still have to use that web contact form on their site, cant find any
    someone@company.com email address anywhere!


  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    I would consider professional legal advice as you have mentioned passwords in plain txt, which would suggest (do not confirm) you dumped the DB.


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    You don't need professional legal advice, it'd be flushing money down the toilet; particularly in Ireland where IT-savvy lawyers are as rare as hens teeth.

    Just do your best to report it anonymously, and if that fails do as another user suggested and report it - again anonymously - to the data protection commissioner. They won't respond immediately but they /will/ respond.

    If all else fails, pick up a SIM card in Tesco and call, or send a letter. I know they're old-fashioned, but voice and post systems are still operational. :)


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    You could also try contacting their hosting provider ..
    Again - anonymity would be the best idea ..

    I wouldn't seek legal advice - that's going to cost you money .. and you're potentially doing them a favour


  • Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    Other option is to goto a net cafe and sign up for a new email account and sent the info to the nearest thing to a CERT Ireland has.

    http://www.iriss.ie/iriss/contactus.htm


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    I quite like that. An approach from a respected organisation is going to carry a lot more weight than an individual and also conforms with the whole idea of "responsible disclosure".


  • Registered Users, Registered Users 2 Posts: 20,299 ✭✭✭✭MadsL


    I've had little thanks at times calling (generally on Data Protection issues) businesses to let them know of issues.

    Some people get awfully defensive.


  • Registered Users, Registered Users 2 Posts: 1,771 ✭✭✭Dude111


    I would consider professional legal advice as you have mentioned passwords in plain txt, which would suggest (do not confirm) you dumped the DB.
    If they check thier logs couldnt they see what he did??

    I do think he should tell them of this though....


  • Registered Users, Registered Users 2 Posts: 14 BrianHonan


    Folks

    Firstly, testing the security of a web site or system that you do not have explicit permission from the owner to do so can land you in deep trouble as under Irish law (e.g. unauthorised access under Criminal Damages Act 1991 http://www.irishstatutebook.ie/1991/en/act/pub/0031/index.html ). So unless you own the system or have explicit permission from the owner of the site, ideally in writing, you could be inviting a lot of trouble on yourself.

    From time to time IRISSCERT has tried to notify organisations of security issues on behalf of others. Note though that we cannot gaurantee any type of response from the organisation apart from simply notifying them.

    Also, while we will aim to keep the source anonymous if requested with appropriate legal documentation, e.g. a warrant, we will be obliged to hand over any information we have should the website owner decide to treat the issue as a security breach and report it to the Gardai.


  • Registered Users, Registered Users 2 Posts: 2,105 ✭✭✭ectoraige


    Whatever you do, be extremely careful not to make any communication that could in any way be construed to mean that you expect any form of thanks from the company. Any hint of extortion/blackmail would not go well.

    If you're not having any response from the company, I'd second contacting the data protection commissioner's office.


Advertisement