

Ask HN: How do I inform an organisation of a security issue on their website? - froo

So the other day I came across a website that doesn't use any kind of security on their online form in which people are entering financial information along with their own personal information.<p>I've tried to email this organisation and even call them to inform them of the error but have come up against a brick wall in both cases.<p>The thing is, this organisation has inherent trust from the community and people will enter this information freely because of this trust. Even their privacy policy on their site states that they will secure the information but they obviously aren't.<p>Any ideas on what I could do? I'd rather not just leave it alone.
======
pseudonym
Create an anonymous email account and launch an EECB
([http://consumerist.com/2007/05/how-to-launch-an-executive-
em...](http://consumerist.com/2007/05/how-to-launch-an-executive-email-carpet-
bomb.html)). If their tech staff isn't listening, maybe you can scare the
upper level management to. Just be very, very anonymous with it-- a lot of
companies seem to like the "cover our eyes and sue the guy who found it"
approach to security holes.

~~~
froo
That's an excellent link thanks. I've managed to come up with their email
naming scheme and am going to send off some emails soon.

------
noonespecial
You really should just leave it alone. Unless you have a personal stake in
seeing this fixed, there's just way too much "shoot the messenger" going on
these days to do this safely. You don't have to be web-batman. (Not that
there's anything wrong with that, if that's your thing. Just remember how
often people thought batman was the bad guy.)

You already know that they have very little expertise when it comes to
security, are you sure that you can explain to them whats wrong without
sounding to them like an evil hacker who broke into their interwebs?

~~~
froo
Web-Batman - I like that.

The thing is, its not even an issue that's difficult to fix and its not as if
I broke anything, the security hole is blatantly obvious.

Basically, the offending form doesn't use SSL or any kind of encryption when
people send in private information, which does include sensitive financial
information amongst other things.

Given the level of information they require, anyone intercepting that info
could easily social engineer things like passwords out of that person, which
is why I'm worried about it.

Ah well, at least I tried...

~~~
iuguy
I'd keep trying to contact them then look at walking away. An SSL-related
issue like that is not something you're going to get accused of hacking for
reporting.

If you're really serious you could contact your local information privacy
directorate (in the UK this would be the Information Commissioner's Office - I
don't know who it is for the US) and ask them to investigate.

------
thinkalone
Did you email webmaster or postmaster @domain.com? What contact info is listed
in their whois?

~~~
froo
I did try, the whois information doesn't come up with anything useful and a
search for the name in question doesn't return any useful information

~~~
thinkalone
Sounds like you've certainly made an effort to contact them. My only other
suggestion would be to contact their hosting company's support department and
let them know there is a security issue with one of their clients' sites and
you haven't been able to reach the site's owners.

~~~
froo
Someone posted a great link to an article at the consumerist. I've managed to
guess their email naming convention using a google search, so have sent off a
detailed email of the problem to their executives trying to "dumb it down" as
much as possible by including screenshots and a basic outline of a social
engineering strategy (including a nightmare outcome) that might occur as a
result of their oversight.

Hopefully it will come to someone's attention.

~~~
cjg
Let us know how it turns out.

~~~
froo
Well now that they've fixed it, I guess I can say where I saw the error.

The error was on the Financial Ombudsman website in Australia in their online
dispute form. The reason why this concerned me was that some of the
information they need to collect included things like bank account numbers -
so having this information sent insecurely to the Ombudsman was (imho) a big
no-no.

I guess I finally managed to get through to someone who can fix it after I
sent emails directly to the chief Financial Ombudsmen explaining exactly why
it was an issue, with screenshots showing exactly where the problems were (I
highlighted the appropriate parts) and an example explaining exactly how
someone could use this information to engineer someone's account passwords out
of them easily.

Thankfully its all fixed now.

------
gauravgupta
I tried reporting a high risk to a popular local shopping website. Infact, I
also offered to fix it for them.

But the response was merely a "Thanks for letting us know. We'll look into
it". It's been over a year but it's still there.

