Ask HN: Found security flaw in site, what should I do?
I found an obvious security flaw in the site of a regional business that serves 10's of thousands of customers a month - think a hotel room or airline ticket. Just change the sequential transaction id in the URL and you can see all the details of any transaction (with the exception of credit card number) for the past year. Even worse you can change any reservation before it is used.
What should I do? Is there a standard protocol about notifying the company before going public? Is there a group who I can report the flaw to who will notify the company? I am not any kind of security researcher and don't want to get accused of hacking
15 comments
[ 3.6 ms ] story [ 35.9 ms ] threadIf you're concerned that the company may misunderstand your intent and take some legal action against you, may be you could send an anonymous e-mail...
This opinion comes from reading this Chris Shifflet's article: http://shiflett.org/blog/2007/mar/my-amazon-anniversary "On this day last year, I informed Amazon about a pretty serious vulnerability and demonstrated it with a few examples and a detailed description. In the description, I explained how to exploit the infamous "1-Click" feature, causing victims to purchase items of my choosing without their knowledge or consent, and I stressed that the scope of the problem extended beyond my benign examples. After some mild prodding, I finally received a reply letting me know that my email had been received, the vulnerability had been verified, and Amazon considered fixing it a top priority.""
Generally speaking, as long as you didn't do any more than was necessary to confirm that the issue existed, you're not likely to be accused of wrongdoing; working with/via someone who is recognized in the field would diminish this possibility even further, since "hey, you guys are evil" tends to be defeated very quickly by "this guy has handled lots of issues like this and nobody has ever accused him of wanting anything more than to get the issues fixed".
Just be very careful to make sure that you don't ask for money in any way (including asking them to hire you as a consultant). The best of motives can be very quickly misconstrued when the word "blackmail" comes up.
Dear <company> website team,
I am a security consultant for <my new company I made 10 seconds ago>.
While casually visiting your site, I recently found a severe security bug that not only leaks private information, but has the potential to alter a user's reservations.
Please contact me as soon as possible so I can let your technical team know about the problem (no charge, of course).
Thanks,
Me Security Consultant, <new company> <phone #>
Might as well try to get some business out of it ;-)
When you make strong statements, other people often have a tendency to react strongly and defensively. I assume that the person at the other end is both competent and concerned - give them all benefits of the doubt.
If you find that isn't the case, then, and only then, you can email them and use the word "security" and talk about going public after n weeks, etc.
(I am not a lawyer.)
I've also sent another email to a small online belt buckle shop to notify them of the insecure way they were setting up Paypal on their site (again, the steps to reproduce the problem and steps to fix it). The owner emailed me back to thanked me as well as taking care of the order personally. You know, most people are just happy that you are giving them some help. Being in the hacking community, I would imagine that everyone is the same here--most of us are (overly) helpful individuals. It's in our genes. So don't fight it and do the nice thing of sending them the steps to reproduce the problem and ways you can fix it. If you feel that you should protect your anonymity, do it. But do notify them :)
If one of these days, when I make an obvious security problem, I would hope, that one of us here would shoot me an email so I can fix it immediately. And I will promise to do the same.