Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.
Hi all, please see this major site announcement: https://www.boards.ie/discussion/2058427594/boards-ie-2026

ethics regarding discovering vulnerability in competitor web application

  • 04-03-2015 03:10PM
    #1
    Raging_Ninja
    Registered Users, Registered Users 2 Posts: 1,717 ✭✭✭


    I'm transferring a new customer's data from a competitors product to our own priduct.

    I've recently (today) discovered a potential vulnerability in the competitors web application.

    If I know the name of the file I want, I can download it without authentication. In other words the files are all publicly accessible - all I have to do is append the filename to a URL, just like how assets like CSS and javascript are delivered.

    As the saying goes, security through obscurity isn't security at all.

    Should I tell the competitor?


Comments

  • #2
    hooplah
    Registered Users, Registered Users 2 Posts: 571 ✭✭✭hooplah


    You could write it up, tell the competitor and then after a set period of time publish the write up as a blogpost.

    Not telling them can potentially damage them and their clients, which isn't something you want to do.


  • #3
    Oink
    Moderators, Music Moderators Posts: 2,163 Mod ✭✭✭✭Oink


    You've taken their client. You won. I know they're competition but surely you're not interested in seeing all these people (clients included) fall on their faces if it's not strictly necessary?

    I like what the previous poster said.


  • #4
    OwenM
    Registered Users, Registered Users 2 Posts: 860 ✭✭✭OwenM


    I discovered a similar hole in the website of a major Irish company about 15 months ago.

    My options, as I saw them then:

    1. Demand a reward in return for the vulnerability, or I go to the press and the data protection commissioner.
    2. Tell them and ask for a reward.

    The first option might have gotten their backs up and they might have gone legal, claiming extortion and I could have ended up being questioned by the police or defending a civil circuit / high court action. I am not a pen tester looking to build a reputation and the publicity could have been very negative for me, plus a relative was working for them in a fairly senior position and LinkedIn would have revealed this quite quickly. I ended up going for the second option and they did give me a nice piece of electronics along with their genuine thanks from the senior management team.

    A third option I didn't know about at the time was the existence of third party 'exploit brokers' who make the approach for you and demand a price for revealing the flaw - this would have shielded me from the publicity and I would be sorely tempted if put back in that position again. €10k would not have been unreasonable considering they would have probably paid more than this to a PR firm for damage limitation, let alone the lost business and damage to the brand.

    I was not working for a competitor so I didn't have that ethical consideration.

    Karma exists - I now work for them indirectly as a contractor sitting on one of their offices every day - they are unaware I am 'that guy' though but imagine if I had gone for the first option.


  • #5
    Trojan
    Registered Users, Registered Users 2 Posts: 16,415 ✭✭✭✭Trojan


    Flip it... if you were on the other side of the table what approach would you want someone to take?

    🎙️ The Recognized Authority Podcast



  • #6
    Raging_Ninja
    Registered Users, Registered Users 2 Posts: 1,717 ✭✭✭Raging_Ninja


    One of the things is that these guys have a not very good customer relations rep, and I'm not sure how they would react.

    I've considered going to the data protection commissioner, going to think a bit more.


  • Advertisement
  • #7
    Synode
    Closed Accounts Posts: 7,967 ✭✭✭Synode


    An exploit broker sounds like a great idea


  • #8
    Oink
    Moderators, Music Moderators Posts: 2,163 Mod ✭✭✭✭Oink


    Synode wrote: »
    An exploit broker sounds like a great idea

    Sounds more like a blackmail negotiator to me. If you have to spend days explaining it I could understand the need for compensation. If it's just a conversation I would take 10 min to honour the "Don't be a D1ck" principle.


  • #9
    bpmurray
    Registered Users, Registered Users 2 Posts: 1,275 ✭✭✭bpmurray


    Of course you should tell them: why are you waiting? If their customer relations rep is a dick and acts like it, tell him thanks and that you'l be making it public immediately.


  • #10
    Synode
    Closed Accounts Posts: 7,967 ✭✭✭Synode


    Oink wrote: »
    Sounds more like a blackmail negotiator to me. If you have to spend days explaining it I could understand the need for compensation. If it's just a conversation I would take 10 min to honour the "Don't be a D1ck" principle.

    True. However, if it's a big organisation that would gladly pay for this information, you'd be a fool to give it to them for free


  • #11
    Raging_Ninja
    Registered Users, Registered Users 2 Posts: 1,717 ✭✭✭Raging_Ninja


    Well I told the customer, let them figure out what to do.


  • Advertisement
Advertisement