Ask HN: How do I inform an organisation of a security issue on their website?
So the other day I came across a website that doesn't use any kind of security on their online form in which people are entering financial information along with their own personal information.
I've tried to email this organisation and even call them to inform them of the error but have come up against a brick wall in both cases.
The thing is, this organisation has inherent trust from the community and people will enter this information freely because of this trust. Even their privacy policy on their site states that they will secure the information but they obviously aren't.
Any ideas on what I could do? I'd rather not just leave it alone.
12 comments
[ 2.7 ms ] story [ 43.8 ms ] threadHopefully it will come to someone's attention.
The error was on the Financial Ombudsman website in Australia in their online dispute form. The reason why this concerned me was that some of the information they need to collect included things like bank account numbers - so having this information sent insecurely to the Ombudsman was (imho) a big no-no.
I guess I finally managed to get through to someone who can fix it after I sent emails directly to the chief Financial Ombudsmen explaining exactly why it was an issue, with screenshots showing exactly where the problems were (I highlighted the appropriate parts) and an example explaining exactly how someone could use this information to engineer someone's account passwords out of them easily.
Thankfully its all fixed now.
You already know that they have very little expertise when it comes to security, are you sure that you can explain to them whats wrong without sounding to them like an evil hacker who broke into their interwebs?
The thing is, its not even an issue that's difficult to fix and its not as if I broke anything, the security hole is blatantly obvious.
Basically, the offending form doesn't use SSL or any kind of encryption when people send in private information, which does include sensitive financial information amongst other things.
Given the level of information they require, anyone intercepting that info could easily social engineer things like passwords out of that person, which is why I'm worried about it.
Ah well, at least I tried...
If you're really serious you could contact your local information privacy directorate (in the UK this would be the Information Commissioner's Office - I don't know who it is for the US) and ask them to investigate.
But the response was merely a "Thanks for letting us know. We'll look into it". It's been over a year but it's still there.