Ask HN: How do I inform an organisation of a security issue on their website?

5 points by froo ↗ HN
So the other day I came across a website that doesn't use any kind of security on their online form in which people are entering financial information along with their own personal information.

I've tried to email this organisation and even call them to inform them of the error but have come up against a brick wall in both cases.

The thing is, this organisation has inherent trust from the community and people will enter this information freely because of this trust. Even their privacy policy on their site states that they will secure the information but they obviously aren't.

Any ideas on what I could do? I'd rather not just leave it alone.

12 comments

[ 2.7 ms ] story [ 43.8 ms ] thread
Did you email webmaster or postmaster @domain.com? What contact info is listed in their whois?
I did try, the whois information doesn't come up with anything useful and a search for the name in question doesn't return any useful information
Sounds like you've certainly made an effort to contact them. My only other suggestion would be to contact their hosting company's support department and let them know there is a security issue with one of their clients' sites and you haven't been able to reach the site's owners.
Someone posted a great link to an article at the consumerist. I've managed to guess their email naming convention using a google search, so have sent off a detailed email of the problem to their executives trying to "dumb it down" as much as possible by including screenshots and a basic outline of a social engineering strategy (including a nightmare outcome) that might occur as a result of their oversight.

Hopefully it will come to someone's attention.

Let us know how it turns out.
Well now that they've fixed it, I guess I can say where I saw the error.

The error was on the Financial Ombudsman website in Australia in their online dispute form. The reason why this concerned me was that some of the information they need to collect included things like bank account numbers - so having this information sent insecurely to the Ombudsman was (imho) a big no-no.

I guess I finally managed to get through to someone who can fix it after I sent emails directly to the chief Financial Ombudsmen explaining exactly why it was an issue, with screenshots showing exactly where the problems were (I highlighted the appropriate parts) and an example explaining exactly how someone could use this information to engineer someone's account passwords out of them easily.

Thankfully its all fixed now.

You really should just leave it alone. Unless you have a personal stake in seeing this fixed, there's just way too much "shoot the messenger" going on these days to do this safely. You don't have to be web-batman. (Not that there's anything wrong with that, if that's your thing. Just remember how often people thought batman was the bad guy.)

You already know that they have very little expertise when it comes to security, are you sure that you can explain to them whats wrong without sounding to them like an evil hacker who broke into their interwebs?

Web-Batman - I like that.

The thing is, its not even an issue that's difficult to fix and its not as if I broke anything, the security hole is blatantly obvious.

Basically, the offending form doesn't use SSL or any kind of encryption when people send in private information, which does include sensitive financial information amongst other things.

Given the level of information they require, anyone intercepting that info could easily social engineer things like passwords out of that person, which is why I'm worried about it.

Ah well, at least I tried...

I'd keep trying to contact them then look at walking away. An SSL-related issue like that is not something you're going to get accused of hacking for reporting.

If you're really serious you could contact your local information privacy directorate (in the UK this would be the Information Commissioner's Office - I don't know who it is for the US) and ask them to investigate.

Create an anonymous email account and launch an EECB (http://consumerist.com/2007/05/how-to-launch-an-executive-em...). If their tech staff isn't listening, maybe you can scare the upper level management to. Just be very, very anonymous with it-- a lot of companies seem to like the "cover our eyes and sue the guy who found it" approach to security holes.
That's an excellent link thanks. I've managed to come up with their email naming scheme and am going to send off some emails soon.
I tried reporting a high risk to a popular local shopping website. Infact, I also offered to fix it for them.

But the response was merely a "Thanks for letting us know. We'll look into it". It's been over a year but it's still there.