

Ask HN: Screen scraper's server is fully open - adnans

This company (call them ACME) who happen to be fairly big in the industry, screen scrapes our website backend (our users give them access) and updates data into our DB quite regularly. They&#x27;re the most active ip address in our logs.<p>Because I like to look at logs fairly regularly, their new IP address gave me concern so I did a quick lookup and port scan. They happen to have open FTP access with anonymous login enabled.<p>What&#x27;s worse is that their whole C: drive (Windows server) is viewable through the exposed FTP (apart from user directories) and from a quick glance, their application code which does the screen scraping is visible to anyone.<p>This code also includes config files (connection strings to DB, etc.) and of course the code which screen scrapes our site and many others.<p>What do we do? Contacting them and then being accused of server breach etc is not my idea of the foreseeable future and everything that comes with it.<p>There is an unfortunate tendency, especially here in the litigation happy US, to pursue the person who does the right thing by warning of possible security issues. I don&#x27;t want to join that list.<p>In terms of their own security issues, this might be an issue and keeping quiet will protect our interests at least.<p>What would you do?
======
lsiunsuex
Produce (if you don't already have one) a list of security measures companies
that interact with your data must have in place. Send it to them, giving them
a reasonable amount of time to implement the security (say, 2 weeks?)

If they fail to meet the security measures, block they're IP.

If your data is that sensitive and you don't want it to get into other
companies hands, it's a reasonable request.

Just because they're a "big" company, doesn't mean IT is properly staffed.
They may have 1 poor guy managing everything and it might have been a (albeit
big) oversight.

------
classicsnoot
I am not at all versed in anything you have mentioned, but i'd like to ask: is
your team/company/property at risk in any way or are you purely a spectator?

~~~
adnans
At the moment, spectator. But if someone else who stumbles upon this server
and has other motives, they could be able to dig further and gain access to DB
files.

Then we would be at risk since I assume that's where they store our user
credentials needed to login to our website backend and make updates. Although,
that will be least of our worries since we can simply reset the
username/passwords that have accessed out sites since we have activity logs.

~~~
invoke
If there's a potential risk that someone could gain access to your system by
breaching theirs then I would raise it with them immediately.

As they're accessing your system you can probably safely say you always do a
security check on hosts connecting to your system to ensure there aren't
problems. In this instance it showed that they have an open FTP server.

