Should I report a web vulnerabilities to the company?

VHS80s

I have managed to successfully SQL Inject a website, the databases contained sensitive information about the owners and their customers and plain text passwords and usernames for connecting to their sub sites was also retrieved.

Should i report it to them?
will I get in trouble?

Big Breach

LoLth

if you are concerned about getting into trouble find a way to notify them anonymously but definitely you should notify them. They might not deserve the attention having a "leaky" website but their customers havent done anything wrong.

As for getting in to trouble, I would guess that depends on the company. Some will think "great ,we've been warned by someone responsible" others will this "we've been hacked! make them pay so no-one does it again".

As long as you did not retain or distribute any copies of any data you found as a result of the successful sql injection you have a chance at playing the gray hat "I'm just trying to help" card.

LLU

Personally I'd be nervous about getting into trouble. Maybe I'm just cynical but do be aware that this could be embarassing to them and rather than being grateful they could do anything from shutting you up to using you as the scapegoat for their cock ups. Especially given that you did SQL injection and got sight of sensitive data, even though it was well intentioned.

Also I would report them to the data commissioners - www.dataprotection.ie . And keep myself anonymous there also.

VHS80s

I've emailed them semi anonymous... now wait the response!!

tolosenc

Yeah, have had friends who've been emailed back by legal departments about not having permission to hack their system, I'd deffo tell them, but be as anonymous as possible.

SQL injection is horrendously amateur, though.

Gavin

Have a poke through the company employees on linkedin. You'll probably find a more appropriate person to contact than a generic abuse@ address. Probably best to do it anon too.

VHS80s

Gavin wrote: »

Have a poke through the company employees on linkedin. You'll probably find a more appropriate person to contact than a generic abuse@ address. Probably best to do it anon too.

The company is not listed on linkedin and have not received a email from them this is the 3rd day!
I still have to use that web contact form on their site, cant find any
someone@company.com email address anywhere!

JimmyCrackCorn

I would consider professional legal advice as you have mentioned passwords in plain txt, which would suggest (do not confirm) you dumped the DB.

dahamsta

You don't need professional legal advice, it'd be flushing money down the toilet; particularly in Ireland where IT-savvy lawyers are as rare as hens teeth.

Just do your best to report it anonymously, and if that fails do as another user suggested and report it - again anonymously - to the data protection commissioner. They won't respond immediately but they /will/ respond.

If all else fails, pick up a SIM card in Tesco and call, or send a letter. I know they're old-fashioned, but voice and post systems are still operational.

mneylon

You could also try contacting their hosting provider ..
Again - anonymity would be the best idea ..

I wouldn't seek legal advice - that's going to cost you money .. and you're potentially doing them a favour

BaconZombie

Other option is to goto a net cafe and sign up for a new email account and sent the info to the nearest thing to a CERT Ireland has.

http://www.iriss.ie/iriss/contactus.htm

LoLth

I quite like that. An approach from a respected organisation is going to carry a lot more weight than an individual and also conforms with the whole idea of "responsible disclosure".

MadsL

I've had little thanks at times calling (generally on Data Protection issues) businesses to let them know of issues.

Some people get awfully defensive.

Dude111

JimmyCrackCorn wrote:

I would consider professional legal advice as you have mentioned passwords in plain txt, which would suggest (do not confirm) you dumped the DB.

If they check thier logs couldnt they see what he did??

I do think he should tell them of this though....

BrianHonan

Folks

Firstly, testing the security of a web site or system that you do not have explicit permission from the owner to do so can land you in deep trouble as under Irish law (e.g. unauthorised access under Criminal Damages Act 1991 http://www.irishstatutebook.ie/1991/en/act/pub/0031/index.html ). So unless you own the system or have explicit permission from the owner of the site, ideally in writing, you could be inviting a lot of trouble on yourself.

From time to time IRISSCERT has tried to notify organisations of security issues on behalf of others. Note though that we cannot gaurantee any type of response from the organisation apart from simply notifying them.

Also, while we will aim to keep the source anonymous if requested with appropriate legal documentation, e.g. a warrant, we will be obliged to hand over any information we have should the website owner decide to treat the issue as a security breach and report it to the Gardai.

ectoraige

Whatever you do, be extremely careful not to make any communication that could in any way be construed to mean that you expect any form of thanks from the company. Any hint of extortion/blackmail would not go well.

If you're not having any response from the company, I'd second contacting the data protection commissioner's office.