
Ask HN: Maybe found huge security problem, unsure what to do - sah88
Let me just start off saying I&#x27;m 100% amateur and I don&#x27;t really know that much so I could be all wrong.<p>I was browsing the website and got redirected to a random URL. Tracing the requests back I found that the redirect was caused by improperly sanitized html. The exploit more or less gives you an iframe worth of functionality. This allows for very sophisticated phishing.<p>Firefox is not vulnerable to this (You might be able to guess what the vuln is from that).<p>Now this actually pales in comparison to the 2nd exploit I found. I&#x27;m significantly less sure this works but I&#x27;m still pretty sure it will. I have only tested it out on the preview mode and not published.<p>The preview mode DOES sanitize(hits their server and comes back, basic stuff like &lt;script&gt; gets cleaned up). It just doesn&#x27;t do a very good job at it. Now, they could have 2 different checks, one being more secure when publishing but this seems unlikely. I&#x27;m not really familiar with the applicable laws so I&#x27;m not willing to actually publish an attack to test.<p>The 2nd exploit allows me pretty much free reign on their page. More or less it lets you execute whatever javascript you want.<p>I have sent the company 2x messages through a form they have for reporting securities vulnerabilities. However I&#x27;m not even sure that they got through as I never received a confirmation email (it said one would be sent).<p>I tried calling as well but I just discovered it last night and I haven&#x27;t gotten through to anyone who knows anything.<p>My conundrum is this is an EXTREMELY popular website. Top 100 on Alexa, 30bn+ market cap. If this vulnerability is actually real I&#x27;m not sure I&#x27;m comfortable sitting on the information for a prolonged period of time considering how easy it would be to exploit.<p>In the meantime I&#x27;m going to continue to try and contact the company but I&#x27;m not really sure what my next steps should be otherwise.
======
rwallace
With all due respect, most of the replies here are missing the most important
point.

Does the company have a bug bounty policy?

No?

Then _keep your mouth shut and get on with your life_.

A significant percentage of people in power will react to unsolicited warnings
of security vulnerabilities by attacking you as though you were their enemy.
Worse, the law is at least not clearly on your side. This is not theoretical:
people have come to significant harm in this way. Being a hero is great. Being
a martyr? Not so much. You don't want next week's top HN story to be an appeal
for donations to the legal defense fund of sah88.

~~~
sharpneli
This cannot be emphasized enough.

Just keep your mouth shut or you will quite likely be sued. The only thing you
should do is simply not just trust that particular company with your data
anymore.

If the risk to public good is great enough and the bug simply must be revealed
then it should be done anonymously and with full disclosure. Contacting the
company will only give your address to them.

~~~
smoe
How about passing the information to someone like the EFF and let them inform
the owners?

The OP said he used a form for reporting security vulnerabilities on the site.
Does he still have to be afraid to get sued in such a case?

~~~
droopyEyelids
The EFF exists to influence court cases that are likely to set a precedent.

They are not a general 'help everyone' organization for people who get into
technological legal trouble- the closest they come is having a list of law
firms they refer uninteresting legal business to.

~~~
smoe
That's why I wrote "like the EFF". I figured, when you life in a country where
you actually can get sued for things like that, there must/should be an
organisation or site one can use as a middleman. I wasn't aware of CERT.

I'm still wondering if it has any legal influence in the US when a site
provides a form for reporting vulnerabilities.

------
jcr
When it comes to vulnerability reporting and/or disclosure, there are two
schools of thought; "responsible disclosure" and "full disclosure".
Unfortunately, what "full disclosure" and "responsible disclosure" actually
mean can vary a whole lot. For example, some define "full disclosure" as
immediately publishing/disclosing the vulnerability and/or with working
exploit code, but more level-headed folks define "full disclosure" as trying
to contact the vendor and giving them at least 5 days to respond before
publicly disclosing any information [1].

The safe and sane approach is to contact CERT [3,4] through their
vulnerability reporting page [5] and let them contact the vendor. If you're
curious, the CERT disclosure policy is good reading [6].

[1]
[http://www.wiretrip.net/p/libwhisker.html](http://www.wiretrip.net/p/libwhisker.html)

[2] [http://www.cert.org/vulnerability-analysis/vul-
disclosure.cf...](http://www.cert.org/vulnerability-analysis/vul-
disclosure.cfm)

[3] [https://www.us-cert.gov](https://www.us-cert.gov)

[4] [https://www.cert.org](https://www.cert.org)

[5] [http://www.kb.cert.org/vuls/html/report-a-
vulnerability/](http://www.kb.cert.org/vuls/html/report-a-vulnerability/)

[6] [https://www.cert.org/vulnerability-analysis/vul-
disclosure.c...](https://www.cert.org/vulnerability-analysis/vul-
disclosure.cfm)

~~~
sah88
Thank you so much for this. (xpto123 as well).

I tried calling but just got bounced around and I'm not sure anyone actually
understood/cared. I've got a nice early season cold going so not really
interested in sitting on the phone for hours so I've given up on that.

I'm going to email blast as many of the emails I can get and if I don't hear
anything back from them by Monday I'll pass it onto CERT.

~~~
ams6110
1) Be careful, people who submit proof-of-concept exploits to websites have
been arrested for circumventing digital security measures.

2) It's HIGHLY unlikely that you are the first person to discover this,
especially if it's a top 100 site. Those sites are constantly probed by
attackers looking for exploits precicely because they are so valuable.
Something like XSS due to unsanitized input would he found quickly as there
are automated tools that do exactly that. Just report it to CERT, as
suggested.

3) You may have hit a honeypot.

~~~
shangxiao
A couple of years ago in Australia a security consultant noticed that
firststatesuper.com.au had a gaping security hole in that he could manually
change an ID in the URL and gain access to other users' account information.

He kindly notified First State like any good samaritan, and so what do First
State do in return? Disable his account, report the "offence" to the police,
demand that their IT dept examine his computer, demanded that he sign a letter
to admit liability and threaten to pursue any costs related to the matter.

Luckily the Police had more common sense, realised what had actually happened
and decided not to take any action.

Reference: [http://www.theage.com.au/technology/security/super-bad-
first...](http://www.theage.com.au/technology/security/super-bad-first-state-
set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-
off-20111018-1lvx1.html)

~~~
joshschreuder
The same thing happened this year with a teenager who found a SQL injection in
the Victorian public transport website:
[http://www.pcworld.idg.com.au/article/549362/australian_teen...](http://www.pcworld.idg.com.au/article/549362/australian_teen_accepts_police_caution_avoid_hacking_charge/)

He disclosed to the organisation who then set the police onto him. Luckily he
got off with a warning from police, but that's after having equipment seized
etc.

------
xpto123
Look in linkedin for people working in security for that company, and invite
them to connect. In the connection message state directly the problem.

Do this with technical people, but also with it managers from the company and
its worth sending it to the CEO.

Explain what are the risks (is it persistent xss visible by other users in a
forum etc)

These things are only important until some manager says they are important, so
try to explain the business and public image risk of the exploit to a high
level manager via linkedin in non technical terms, ideally with a demo. If
they forward the email to the it department i bet that then they would act.

Last case if responsible disclosure doesnt work after 3 /6 months: public
disclosure via some news site. All of the sudden it gets fixed in two days,
they end users end up being better off in the long term.

Unpatched exploits that stay there for years are the bread and butter of
hackers, and the short term risk introduced by the public disclosure is
compensated by the fact the users get protected in the end.

------
tlb
BTW, the Hacker News team is super-duper grateful to people who report
security bugs. Report directly to hn@ycombinator.com.

------
lucb1e
I'd anonymously email and tell them they had 7 days to acknowledge having
received your message. After that they get a month or maybe two to fix it.
Then public disclosure. All anonymous over Tor, because you can always attach
your name later but you cannot remove it if you already gave it.

Or if they don't respond at all, immediate public disclosure. If that's how
they want to play the game, then let's play.

Be wary if they ask for your name straight away because companies have been
known to sue.

------
jmount
Security bugs are just bugs. Use your own judgement on reporting. And do not
make the mistake of violating the law in attempting to test on remote systems
(that you may have limited access rights to).

"So I personally consider security bugs to be just "normal bugs". I don't
cover them up, but I also don't have any reason what-so-ever to think it's a
good idea to track them and announce them as something special."

Linus Torvalds Tue, 15 Jul 2008

------
tzs
You reported it through their security bug reporting form, twice. That's
sufficient for now. There are two reasons they may not have acknowledged it.

1\. You haven't given them enough time to acknowledge it.

2\. They are not acknowledging it to limit their liability. Suppose a black
hat subsequently finds it and uses it to cause harm, and a victim sues. The
acknowledgement to you could be used as proof that they knew about the bug
before it was exploited.

You've done all you should do for now. You should now wait long enough for
them to fix it. Take into account that there may be complications you are
unaware of due to how their backend works, or due to how their development and
testing is done, or how their bureaucracy works, so be generous.

Then check to see if the problem is still there. If it is, then go public
anonymously, with just the technical details. Leave out the history of
attempting to contact them (it could compromise your anonymity).

~~~
sah88
In 95% of cases I wouldn't have even posted this. The company is huge though
and they do a lot of transactions like ALOT ALOT. The amount of information
that could be exposed is a lot higher than your average website.

My problem is really the company should probably have 24/7/365 security
support standing by given the industry. I sent in two reports but I never got
a confirmation email for either. The original item(to emphasize I never
published anything on the site, this item was posted by another user and I was
actually interested in purchasing it until I got redirected) which I have
reported by phone and by form is still up on their site redirecting users.
This one redirect doesn't actually appear malicious though but I have no way
of telling how many other items are affected. At some point I feel there is a
moral obligation for me to disclose the information which leads me to my
second problem.

I have no fucking idea if I'm just overly worried (judging by the comments it
would seem so) about the vulnerability. I also have no real idea of how
serious it is. But it seems to me that even if a fraction of a fraction of
transactions are affected it would still amount to a large amount of stolen
information.

What I would really like is for them to email me back and say either "Oh wow
yeah thanks for catching that" or "God damn you dumbass, no that's not
actually a problem because xyz"

~~~
tzs
It's always fun to learn the first time how little some big organizations care
about security.

I received an offer about 10 years ago, on a Friday evening, to sell me 100k
stolen credit cards, and was given a sample of 10k stolen credit cards to show
they were serious. I did some checking and determined that samples seemed
real.

I called the FBI to report this. They were not interested, and suggested I try
the Secret Service. I did, and they were not interested.

I tried a couple major credit card companies. One was not interested. One gave
me an email address to forward the sample list and the full list offer to and
said someone would look at it Monday morning.

------
custardcream
Always conduct business like this anonymously. Public WiFi, separate browser,
pastebin, free email provider, public forum.

Give them 28 days, then pastebin it and stick on reddit.

But now you can't do a thing because they know who you are and will sue you so
forget about it and stop using their products.

------
seanieb
There's some great advice here. I'd like to add to it from the prospective of
the people at the large internet service receiving the disclosure.

Every day they possibly get hundreds of emails to their security@ email
address. The vast majority of it breaks down into categories of spam and
support requests. Then when you have removed that you are left with a pile of
"security disclosures", the vast majority of which are a very poor standard,
or generated by some sort of scanner software that's returning garbage
results.

After this gets filtered the remainder are legitimate issues that need to be
investigated. Bear in mind you might not get one of these for weeks and weeks,
but you still have to filter the other hundreds of emails.

For all but the largest internet companies (think apple and google), they
can't afford to tend to this filtering process 24/7\. So this happens Mon-Fri
during business hours, and if it's a legitimate report it will make its way to
a security engineer.

So, what am I getting at? You've taken the right steps to report this. What
you have described sounds like a vulnerability, who knows how long its been
there. Given that and the nature of the vulnerability, the likelihood of this
been exploited over the coming days sounds low. So we don't have to go to
DEFCON 5 just yet. Don't expect companies to react to these reports within
hours or over the weekend, theres just too much noise to make this sort of
thing feasible. Please give the company a chance to do their thing, this could
take a business day or two, just to get acknowledged. And another couple of
days to patch (depending on the technical difficulty).

By the way, this is pretty much outlines the value proposition of the Hacker
One service[1] and why companies should use them. As bug bounties become more
popular, the long tail of garbage security reports will increase and so will
the overhead cost to run one of these programs effectively (quick response
times, qualified engineers triaging the inbound queue, etc.).

[1] [https://hackerone.com/](https://hackerone.com/)

------
bradb3030
I don't know if the timing applies here, but if you starting notification on
Friday night...be patient and wait for a business day.

------
erikb
At every IT company I ever worked or friends of me worked there were huge
security holes. The common thinking of management is, though, that it's under
control. Exposing these holes publicly results in getting fired or maybe even
getting sued (because usually job contracts prohibit you from doing something
that "harms" the company or its image). I don't think there is much that can
be done about it. I certainly wouldn't risk my job, decrease the chance to get
a job from other companies and knowing that for all that I could only free the
world from one security bug, when million new ones are created daily.

~~~
sah88
To be clear I don't work for the company. I just happened across it while on
their website. More or less I got suspiciously redirected from one of their
listings and I started digging from there.

------
batram
In cases like this I adopted a best effort policy, look for contact
information on the site and via google ("company-name security"). If I find a
(simple and quick) way to contact the company I send them a simple report. If
there is no way or no easy way to contact them, I am done and they get
nothing.

You stated that you send them two messages via a form dedicated to reporting
securities vulnerabilities and even tried to call them. I think you have done
more than enough and can relax and wait. (Don't bombard them with too many
emails.)

Some in these comments say that you might get sued. As long as you don't
publish or threaten to publish the vulnerability, I don't see that happening
(but than again IANAL).

It is always exciting when you find (your first) vulnerabilities on "high
value" targets, but in the end of the day a laymen might not realize that most
of the websites even in the Top 100 on Alexa have some security problems.

If you personally use the site and fear for your security, you may want to try
a bit harder. For example I have tried multiple times to let my bank know
about a vulnerability, but never got a satisfactory answer.

------
elwell
Similar to this, I recently found out I could put an iframe in the Dreamhost
admin panel if I put it as a TXT record for a domain. It screws up the page,
but I'm not sure I can get to actually load the iframe; seems to do a half-job
of sanitizing the input. I pulled up the online chat feature and told them
about the problem; I don't know if they did anything yet.

------
borski
Everyone here seems to be saying "oh god, don't do it, CFAA!"

Respectfully, this sort of fear is what holds the Internet back. You are
incredibly unlikely to get sued unless: you are threatening to disclose
publicly, you intentionally stole data from the site and are storing it now,
you threaten to sell said stolen data to a journalist or anyone else, etc.

It costs companies, generally, a lot of money to sue someone. They aren't
interested in doing it unless you seriously piss them off or actually cause
their business/revenue harm.

If you are not weev, trolling them publicly and saying you'll sell their data,
you can likely disclose and be fine. Just be nice about it.

By being nice, I have disclosed hundreds of vulnerabilities over the years, in
this manner. Sometimes they even let me write a blog post about it afterward.

If you want, email me and we can discuss in more detail. Email is in my
profile.

tl;dr: find someone to contact via LinkedIn or email (CISO or CTO usually
works well), be incredibly nice and non-threatening about it, and you'll be
fine.

~~~
raquo
This kind of _law_ is what holds the internet back. Why should I risk
bankruptcy, litigation and imprisonment over some intern forgetting to
sanitize HTML? Like that never happened before on the internet.

I'm a kind person, but my #1 obligation is to my family, not random internet
website users.

Internet can not ever be risk free. You post data online, you can expect a low
probability of it getting lost / stolen. You're fine with that, because most
data is actually not that private, and because you somehow benefit from
posting it online.

Security vulnerability reporting _must_ be risk free, because it's possible
for it to be. You just need a proper law.

------
stefan_kendall3
Just move along and don't use the website. The computer fraud and abuse act is
not a joke.

------
zuck9
Once you get the bugs fixed, kill the curiosity and disclose the website name.
They aren't running their program on BugCrowd or HackerOne, are they?

