
Ask HN: I hacked an ecommerce website, what do I do now? - throwaway3DN
Hi all,<p>I&#x27;m a web developer by trade and I (inadvertently) hacked an ecommerce website yesterday.<p>It started innocently, while ordering a replacement part for one of my domestic appliances. I received an email with the order status, the website was... let&#x27;s say antiquated. Curiosity abetting, I soon had access to the whole database, with the full order history, the suppliers and the whole server.<p>I know I could wreck them but that&#x27;s not my goal at all. This company has a turnover of &gt; 5M€, based in France (as am I), I very well know the consequences of the chaos I could create.<p>I&#x27;m aiming for a responsible disclosure, but I don&#x27;t want to get sued. I&#x27;d like to help them to get better at security and development, how would you approach this?<p>Love to all hackers and tinkerers!
======
jonh1
Hi there-

My name is Jon and I’m a Technical Program Manager for HackerOne. HackerOne
has a free, voluntary service called Disclosure Assistance. The way Disclosure
Assistance works is that we take the vulnerability details you submit and
attempt to contact the organization on your behalf. We have a wide range of
tools and contacts within the industry that enable us to find the relevant
contacts.

HackerOne will attempt to contact the affected organization and verify the
identity of an appropriate point of contact to receive the vulnerability
information. Once their identity is verified, an email is sent to the point of
contact with a secret link to the contents of the bug report and the
interactions between the hacker and HackerOne. At this point, the
vulnerability information has been successfully shared with the affected
organization.

We have helped hundreds of researchers responsibly report security issues, and
would be happy to help in this instance as well. I want to reiterate that this
is a free, voluntary service. You can read more about it and submit a report
here: [https://hackerone.com/disclosure-
assistance](https://hackerone.com/disclosure-assistance)

------
yann63
Tu es déjà dans l'illégalité pour maintien dans un système informatique.
Supprime tout ce que tu as pu récupérer, efface ton historique de navigation,
etc puis oublie cette histoire. Certains ont déjà été condamnés en France pour
ça. La loi n'est pas faite pour protéger les personnes comme nous qui trouvent
une faille par hasard et voudraient aider en la communiquant au propriétaire
du système informatique. Tu n'as malheureusement que des soucis à tirer d'une
telle histoire.

Du point de vue de la loi française, entrer ainsi dans un système
informatique, c'est comme entrer dans une maison ou une voiture dont la porte
est grande ouverte. Illégal. L'analogie a ses limites (on peut voir une porte
de maison grande ouverte sans entrer et avertir le propriétaire, alors que
pour un système informatique c'est une foie entré qu'on voit que la porte
était grande ouverte).

~~~
olivierduval
A noter, l'article 323-3-1 "Le fait, sans motif légitime, notamment de
recherche ou de sécurité informatique, d'importer, de détenir, d'offrir, de
céder ou de mettre à disposition un équipement, un instrument, un programme
informatique ou toute donnée conçus ou spécialement adaptés pour commettre une
ou plusieurs des infractions prévues par les articles 323-1 à 323-3 est puni
des peines prévues respectivement pour l'infraction elle-même ou pour
l'infraction la plus sévèrement réprimée."

Tel que je le comprends, si tu transmets un bug report à HackerOne... ben...
tu morfles aussi!!! Parce que je doute que tu puisses te prévaloir du "motif
légitime" de "sécurité informatique" puisque tu n'es pas dans le cadre d'une
prestation spécifique de sécurité pour un client.

------
geetfun
Contact a lawyer who represents clients for this sort of thing (if such even
exists). The company in question — who knows how they will react. Even if we
(all of us here on HN) know your intentions are noble, your discovery may
inevitably lead to someone getting fired over this. That person may very well
portray your hacking as malicious and try to divert the blame on you. Better
safe than sorry.

~~~
eerikkivistik
I would even suggest that the lawyer contact the company on your behalf
without revealing your identity. I've seen these things go sideways and if you
really want to disclose, make sure your identity remains anonymous until they
explicitly agree not to pursue any legal action. I'll also add that they might
behave irrationally - it can take many forms (denial of a security issue,
legal action, defamation of character). But I might be a bit cynical as well,
been down this road in the past.

------
osazuwa
Part of your ethical consideration in making this decision is the well-being
of all the customers whose data is waiting to get stolen

------
mmcallister
Do they have an email address for security incidents? What about responsible
disclosure documentation? Could be a good indicator on whether they value the
security report or not.

I'd personally disclose it to them in the interest of protecting everyone else
that uses their platform. You have the power and ability to stop what sounds
like a pretty catastrophic leak.

IANAL but you're intentions are clearly in the right place, they'd be uproar
if they tried to prosecute you...having said that they might still try

~~~
throwaway3DN
Unfortunately, they don't have one. Their development and security practices
are straight from the 1990s, I don't think they even have someone reponsible
for these areas anymore.

I'm at a loss because I've got the feeling that they are no technical people
at all. I feel for them because I know the pains of selling online and I don't
want to wreck the livelihood of these people.

------
staunch
I've sent emails anonymously but I'm not sure I would do it in the future. It
doesn't seem like it's worth the risk.

You might wait 30 days or more in hopes their logs don't have your previous
requests in them which could potentially identify you.

Ethically it doesn't seem right to feel obligated to help a business that has
a problem. They have money and it's their responsibility to run their business
competently, not yours.

------
is_true
Try to contact them and offer to fix the errors.

I did something like this and when I reported the URL with the vulnerability
they didn't answer, but when I tried to access that URL I got a page that said
"the bug is in uranus". Unfortunately if you added any parameter to that URL
the admin panel was still public.

~~~
throwaway3DN
That's exactly the kind of childish answer I'd like to avoid if I disclose the
security vulnerability ;-)

------
natalyarostova
No good deed goes unpunished. Walk Way.

------
eb0la
Under GDPR they must disclose to their users this security problem because
they could have a potential data breach.

This situación should be handled by the Data Protection Officer (DPO) the
company must have either a) con payroll or b) as contractor.

If I were you, I would report this anonymously to avoid beign sued.

Even better: talk to your lawyer and ask him/her to report anonymously the
incident for you.

I have been un court as a designed expert and the concept of accidentally
discovering a vulnerability is hard to explain to law people.

Other developers / security people will understand it, but DPOs are usually
lawyers that report to the board that is composed of lawyers...

------
chipuni
First, create CLEAR instructions that shows how to access the database from
outside the company. It's best if you create a script.

If you have zero tolerance for risk, then print out the instructions and a
copy of the script AND put the script on a thumb drive. Then mail them
(physical mail, in a literal envelope) both to the company with no return
address.

Then you've done your part, and you're unlikely to be sued.

Good luck.

~~~
throwaway3DN
Unfortunately, they don't seem to be technically oriented, their website was
built in 1997... I'm not that risk averse and I'd like to help them to improve
their security and development practices, I'm aiming to get in touch with them
without compromising myself if they react badly.

------
Rjevski
> based in France (as am I)

The laws in France seem a bit better as far as “unauthorised access” is
concerned, I haven’t heard of any precedents where security researchers have
been prosecuted there.

In any case, I’d recommend disclosing it anonymously over Tor (do they have a
contact form? If so just fill it in using the Tor Browser).

------
ohhellno
Wait for your order to arrive and then submit a GPDR request to delete your
information.

------
BjoernKW
I'm not sure what the legal framework for this is in France.

Hence, my best advice is this: Contact a lawyer who's well-versed in local IT
law before doing anything further at all.

------
borplk
Be very careful! Don't take any risks for them.

