Ask HN: Screen scraper's server is fully open
Because I like to look at logs fairly regularly, their new IP address gave me concern so I did a quick lookup and port scan. They happen to have open FTP access with anonymous login enabled.
What's worse is that their whole C: drive (Windows server) is viewable through the exposed FTP (apart from user directories) and from a quick glance, their application code which does the screen scraping is visible to anyone.
This code also includes config files (connection strings to DB, etc.) and of course the code which screen scrapes our site and many others.
What do we do? Contacting them and then being accused of server breach etc is not my idea of the foreseeable future and everything that comes with it.
There is an unfortunate tendency, especially here in the litigation happy US, to pursue the person who does the right thing by warning of possible security issues. I don't want to join that list.
In terms of their own security issues, this might be an issue and keeping quiet will protect our interests at least.
What would you do?
4 comments
[ 2.5 ms ] story [ 17.9 ms ] threadThen we would be at risk since I assume that's where they store our user credentials needed to login to our website backend and make updates. Although, that will be least of our worries since we can simply reset the username/passwords that have accessed out sites since we have activity logs.
As they're accessing your system you can probably safely say you always do a security check on hosts connecting to your system to ensure there aren't problems. In this instance it showed that they have an open FTP server.
If they fail to meet the security measures, block they're IP.
If your data is that sensitive and you don't want it to get into other companies hands, it's a reasonable request.
Just because they're a "big" company, doesn't mean IT is properly staffed. They may have 1 poor guy managing everything and it might have been a (albeit big) oversight.