
Websmart, Inc. and 100,000 Vulnerable Websites - GrahamsNumber
http://samsclass.info/125/ethics/smart-websites.htm
======
acangiano
This is all fine and dandy but I actually find the approach taken by the
professor in the first email to be quite unfriendly and perhaps even
unprofessional. The guy from Websmart is actually right, there was no need to
immediately contact his customers directly. You let the vendor handle the
delicate subject with their customers and then take action directly (with a
public disclosure) only if the vendor ignores you.

~~~
elwell
This is best for the vendor, but not best for the customers. Vendors should
have a healthy fear that if they don't provide substantial security they will
be exposed for their lack of quality. Now, I hope I'm not soliciting a 'test'
of my work by saying this...

~~~
rallison
To a certain degree, I do agree. If websmart can't do this right, I imagine
there are many other security vulnerabilities plaguing client sites. I will
say that, as a client, I _would_ want to know this.

------
jtchang
Rule #1 - Don't be an asshole.

You found a vulnerability in lots of sites so you contacted the vendor who was
responsible for it. Cool. They replied and said they would fix it.

Going around and e-mailing their customers is kinda odd. Sure it may result in
you feeling great but in the end the customers probably don't have a clue.
Better to be mature about it and contact the vendor (who actually responds!)

If they stop responding or tell you to peeter off, then it might be reasonable
to do some type of disclosure. But not before you actually give them a chance
to respond.

------
gk1
Wow. Just wow. I used to manage client accounts at an agency. Here's how I'm
seeing this:

\- Author sends a condescending, threatening, passive-aggressive, and shaming
email to a vendor and its clients.

\- Vendor respectfully explains that it was an unprofessional thing to do,
because their client relationships were put at risk without them having a
chance to correct their mistake.

\- Author completely fails to understand why the vendor would think this, and
interprets the email as an effort to "intimidate [him] into silence."

To be clear, I'm not excusing the vendor for their shoddy development work. I
just think this professor is clueless about effective communication.

~~~
markdown
An understandable opinion coming from a client accounts manager.

Now try and see it from the viewpoint of the poor sods who have the
unfortunate fate of being this incompetent fools clients.

------
columbo
My personal advice to all small-business-owners: Don't get into pissing
matches!

Yeah, I don't like Sam Bowne's approach. His initial email read as someone
looking to make a name for himself (this is the biggest security flaw I've
ever found! You have 6 days to respond!).

Despite this, if I had received an email like this I would have sent back a
personal thank you followed with an outline of action steps. If I get another
email from Sam asking more questions I'd reply as quickly as possible. Every
transaction between him and I would be professional.

I'm reminded of a time when someone was convinced I was a hacker. It's a bit
of a long story; I was tasked with creating a certification course for 2,000
employees. They all get emails telling them to log in and one guy saw the
domain (companyname.columbo-companyname.com) and thought it was a Phishing
scam. This employee then pulled up my company, does a WHOIS, called my cell
phone a few times* and then promptly sent an email to the CTO (and about 6
other VPs) about a rogue hacker.

The whole thing turned into a massive cluster, suddenly I'm getting emails and
phone-calls about a hacker in MY site (the CTO assumed I had been hacked and
they had been hacked by proxy, nobody knew what was going on).

Took a few days to sort out and when they found out where it started the CTO
sent me an apology to which I responded "Hey, it's no big deal, it's great you
have an employee willing to raise alarm bells like this.".

Problem Solved.

There's nothing to gain from pissing matches or threats.

* I suspect he's the one that called me, got a strange call & text right before all this went down from a number I didn't recognize.

~~~
emilv
That domain name sure looks like a phishing scam.

Six days to take down the websites and start bugfixing is a lot of time for
this kind of vulnerability.

~~~
thyrsus
It is quite possible the clients do not have access to the source code. They
may further have no competence in coding nor even in obtaining competent
assistance in coding.

~~~
emilv
They still should be able to figure out how to take down the website to avoid
being exploited.

------
thekevan
Imagine if the local news outlet did a "consumer watchdog" piece on a
contractor going around installing windows or doors in homes and businesses
with locks that can be easily opened without a key. Then imagine the
contractor acknowledged the issue but threatened to sue the news outlet for
hurting their business.

~~~
jackalope
Now imagine that the local news outlet displayed a list of addresses of the
homes than can be easily opened without a key. That's closer to what happened
here. The disclosure was irresponsible. He could have contacted each site
owner individually with information limited to their site. Instead, he sent a
mass email to total strangers, putting some of them at risk, then blogged
about it. That's stupid and inconsiderate.

~~~
markdown
And now, realizing the danger they are in, they fix the door or harass their
vendor into doing it. Finally, thanks to the efforts of one good samaritan,
they're safe.

~~~
adriancooney
Who each have to go through the contractor to get them fixed resulting in a
bottleneck. Thieves are already running rampant at the disclosure while the
contractor is frantically fixing the windows.

~~~
markdown
An unfortunate series of events, but the poor homeowners are glad it happened,
because now they see their contractor for the careless, incompetent fool that
he is.

They vow never again to put their families at risk by letting him near their
house.

They find a better contractor.

~~~
sanderjd
Having no technical expertise with which to evaluate competing contractors,
the "better" contractor they find has the same problem. Cycle repeats.

------
sugerman
I appreciate that the guy's attitude is just awful, but the author really
should have given him a chance to respond/react before contacting his clients.
Doing so doesn't preclude notifying them eventually. It's just common
courtesy.

~~~
colinbartlett
I think he's doing the site owners a favor by contacting the person who could
actually do something about it in addition to the owner. Ordinarily, he'd
probably only contact the site owner. In this case, he saw that the builder of
the site was consistent across multiple sites and chose to _additionally_
contact the builder and not just the owner.

------
gojomo
It's reasonable to contact the affected sites, as well as Websmart. The sites
might be able to fix themselves, depending on their level of technical
involvement, and (despite the "Web Site by Websmart Inc." line) it's
reasonable for an outsider to simply consider the vendor/contractor/hoster as
an internal implementation detail, and the brand-at-risk as the principal.

But, the notification didn't need to inform all of them at once in the same
message - revealing multiple vulnerable customers to each other, ratcheting up
the embarrassment for Websmart before even seeing their initial reply. And the
one week deadline before pursuing "more drastic remedies, such as contacting
news media" starts things in a confrontational, threatening manner.

If the aim was being helpful, a notice to Websmart first, and then to each
other site individually, would have highlighted the problem without activating
defensive egos. The messages to individual sites wouldn't even have to name
Websmart, just an indication that "your vendor or host may be the party best
able to fix". (The fact that not all the "…by Websmart" sites have the bug may
indicate it's only a certain type or generation of their work that's
problematic, or that a fix is relatively easy.)

So I see both sides unnecessarily escalating the righteous anger with their
communication choices.

------
polemic
Nice one including the XSS injection flaw posted to inj3ct0rs within your own
page there. Did your forget to sanitize your _own_ HTML?

Secondly, publicly publishing the email addresses of the (innocent) victims,
and emailing those clients with To instead of Bcc fields are both really
inconsiderate moves.

------
Phil_Latio
LOL

[http://www.websmartconsulting.com/profile.php?ClientID='](http://www.websmartconsulting.com/profile.php?ClientID=')

~~~
orf
Its sad that this is 2013 and these basic fucking issues still plague websites
(and the people who make them). I wonder if the root of these issues is in
education or the tools used? Or both?

~~~
rallison
It seems to be a combination of both a lack of knowledge with respect to
security and often a lack of respect. With many smaller companies, it is often
ignorance. With many others, it is still too often the case that security
concerns end up getting thrown in the "yeah, we should fix that eventually"
pile of bugs.

Another issue is that security issues are often not visible to normal users.
In the websmart example, a normal user looking for development services would
have no idea that websmart has absolutely no clue how to do security. So,
websmart gets the business, while the client gets a ticking time bomb, without
even knowing it.

That, and most developers don't have any formal training in security concerns.
I know I didn't when I first started - I had to pick it up as I went. It does
not surprise me that these sorts of things keep coming up. Unless something
changes - e.g. the majority of computer science degree programs include a
course or two on security, I don't expect things to get drastically better.

That said, things like bug bounty programs help raise the visibility. And, at
least many of the large tech companies do now respect security. We've at least
improved in some ways as an industry.

~~~
joe_computer
> With many smaller companies, it is often ignorance.

I think that's an unfair statement about smaller companies. Just two months
ago a SQL vulnerability was discovered on the website of NASDAQ.

I think the solution is to use frameworks that promote safe behaviour and have
idioms for dealing with common cases. Make someone go out of their way to do
the dangerous thing.

------
jcrites
Is there really a SQL injection vulnerability?

Can someone describe the specific vulnerability in more detail? All the
example URLs in the article yield an SQL syntax error, which definitely puts
the site at high risk for such vulnerabilities. However, on the other hand, I
saw no URLs that actually demonstrated successful injection.

For it to be an injection vulnerability, the server needs to execute the query
(not fail with a syntax error).

Does anyone have a working example? Nothing malicious please. I tried several
basic techniques and was unsuccessful, due to what appears to be escaping on
double and single quote characters.

~~~
ibudiallo
After an hour of playing around (nothing malicious) yes it is vulnerable, a
lot of sites use the same DB structure (which is because they were made by the
same people) and passwords are stored in plain text.

So No it is not just syntax error.

~~~
jcrites
Would you mind sharing an example query string that injects and passes
validation? I'd be interested to see what technique enables it to be valid.

(It's obvious to me that the site is under high risk since user-provided
strings show up in SQL validation errors, which includes the rest of a real
query, but simple injections like using ' and " to break out did not work in
my few minutes of trying, so I'm interested to learn what worked.)

~~~
ibudiallo
I will send you a generic example on your email.

------
natch
I'm picking up that Sam may be a little off. Or at least his reading skills
are really questionable. The developer clearly stated that he would look into
it, which is what you say when you first get word of something serious that
needs to be looked into. And he was appreciative, emphatically so, about being
informed. And annoyed about his customers being informed as well, but that
annoyance is very understandable, even though he may have deserved some
annoyance by his apparent lapse in coding rigor.

~~~
nknighthb
> _The developer clearly stated that he would look into it_

Belied by the developer's inaction since 2010. Did you read the whole page?

~~~
prawn
Looked like the developer was notified in 2013, not 2010. The flaw was just
posted somewhere in 2010.

------
grannyg00se
Surprise, many websites are not secure. Does he go around testing people's
door locks to see how vulnerable they are to being picked with a basic lock
pick set? Maybe knock on some doors and tell the home owners that their home
contractor doesn't take security seriously enough and demonstrate how easily
the standard door lock can be picked?

I could understand if he was making a business out of this, selling improved
security. But this way it just looks like he's out to show people that he
knows something they don't know and publicly shame them into some kind of
response.

~~~
GrahamsNumber
Or maybe he could, you know, be trying to teach his students about security so
they don't do shit like this in the future? "My students and I have been
notifying administrators of vulnerable websites for several years now"

~~~
grannyg00se
Teaching about security by looking for some basic low hanging fruit? Perhaps.
But what he's also teaching is how to blame and shame, and needlessly tread
into murky legal territory.

------
scoot
He seems to be confused by the difference between pages and sites - 100,000
pages is not 100,000 sites. And the search in question only finds 274 pages
anyway.

So this is actually: "handful of sites have a sql injection vulnerability -
owners & operators incapable of fixing". Hardly big news.

------
colinbartlett
What an idiot, he could have reacted with gratitude and done his part to
convince his customers that he would make the situation right.

Instead, he's opened himself up for a flurry of negative attention not only
from the public but from the unethical hacking community.

------
notlisted
Sam is in dangerous territory here. IANAL, but I think he may be close to
being accused of Tortious Interference[1]

I noticed this in the initial response of websmart's owner that I've seen
before in legal docs.

 _" I do not appreciate you taking the liberty of contacting my clients
directly [...] you have no right or authority here. You could very well damage
my business with this. If that happens you will be hearing from our lawyer."_

This line in Sam's last email is especially dangerous (stating things he
doesn't know and something which can be perceived as "soliciting for
business"):

 _" This is a serious security defect. It is easy to fix, but Websmart has
made it clear that they have no intention of fixing it. [...] If you have
questions, or would like help fixing your website, feel free to contact me."_

isn't very smart to say the least.

[1]
[http://en.wikipedia.org/wiki/Tortious_interference](http://en.wikipedia.org/wiki/Tortious_interference)

~~~
nknighthb
Truthful warnings to people who are in danger is not tortious interference.

~~~
throwaway2048
being 100% correct and legally in the right is no defense against years of
lawsuits

~~~
nknighthb
If the law doesn't matter, then don't bring it up. Under your logic, you can
replace "tortious interference" with "turnip testicles" and this discussion is
equally meaningful.

~~~
tedunangst
Unlike a complaint naming turnip testicles, one that says tortious
interference is less likely to get kicked by the judge in four seconds.
Skating ->this<\- close to the legal edge is definitely something worth
bringing up.

~~~
nknighthb
And I could sue you for libel and have it last more than four seconds, too.
You're skating awfully close to the legal edge!

No, actually, you're not, any more than Sam is. This isn't a close call.

------
rickyc091
Here's the thing, a lot of times people just don't care. I've sent emails to
Amtrak, USPS, SallieMae and many others about bugs on their sites. Most of the
time I just get canned responses saying they'll look into it or reply with
something totally irrelevant. Sure it probably would have been the courteous
thing to do by sending the webmaster an email first individually, but if you
were the client, wouldn't you want to know about this vulnerability? Wouldn't
you want to know your database has been compromised?

------
ThinkBeat
There are several dead links and sql injection vulnerabilities on the
company's website.

I can appreciate that it takes time and tact to deal with all the clients
something he is hopefully doing but not even doing some basic work on your own
corporate site is hard to understand.

There are also exploits in the Frontpage module his web server is running
according to online databases.

Does this company have its own "cms" system? Is that why the error is so
pervasive?

From what he says about his business under "About Us" the owner has a solid
background of over 10 years in the broadcast industry as a radio personality.

My assumption is that he owns the business, and has owned it for a long time.
He probably has very rudimentary html skills and can open his tool of choice
DreamWeaver on a good day.

From what he says I think he outsources pretty much anything more than writing
plain html. So he might be trying to deal with one or more contractors that he
has hired for different sites. That probably makes it difficult for him to
roll out any changes / patches in a timely manner. He is probably trying to
get his / one of his contractors do it for free, since he has discovered its
broken.

I think the appropriate action is for Owen Smart to take a step back. Take a
deep breathe. Realize that he is in a shitstorm now since the story hit HN.

He needs to reach out to and reassure his clients. He might want some help
from a PR person here to make sure he presents well. Make them see that he is
competent and taking action.

Hire in a developer with a strong background in security to review the code
base(s) for additional problems, and come up with an immediate mitigation
plan, and work out a longer term plan to deal with the issues identified.

Make sure to follow up with the clients about target dates for fixing their
sites.

He may also have to add a section on his corporate page, with some help from a
PR person, and give his version of events in the best, least confrontational
manner, and again say that he has the resources and the plan for addressing
the issues that have been raised. Some BS about thanking the people who helped
him find the issues. and reassuring future clients that this will no longer
pose any problems.

Happiness all around.

------
elwell
Does the author actually think Websmart has made ~100k websites?

------
elwell
[http://www.websmartconsulting.com/portfolio.php](http://www.websmartconsulting.com/portfolio.php)

    
    
      We are currently working on upgrading our Portfolio of web
      sites and special projects.  Please check back again soon.
    

Does anyone want to use an apostrophe and help him work on this page?

------
websitescenes
This professor is an ass. I would be livid if someone sent me those emails and
created a press release. I think this is definitely grounds for legal action.
The professor has severely misinterpreted the situation.

------
homakov
What is the point of hacking some random sites? Leave it to indian haxors.

~~~
infinitone
Somewhere out there... a botnet would like to have a word with you.

------
rootuid
Contact the vendor, give them time to fix it. Wtf are your contacting his
customers?

Sam, you are truly a moron.

~~~
GrahamsNumber
It doesn't seem that he felt like taking any action since 2010

~~~
elliottcarlson
Are you sure he was notified in those previous incidents? Sure, that's really
poor behavior of the company, but you don't know if he was even aware. Sam
should have responsibly disclosed the information assuming that it was not
already known - his actions were indeed unprofessional and could've been
approached differently - if there was still no action taken, then that's a
whole other story.

~~~
GrahamsNumber
Maybe he was, maybe he wasn't, only he knows. But when you're running 100000
websites, you should Google yourself once in a while at least. Besides, this
isn't some 0-day, it's some extremely basic SQL injection vulnerability. This
company wasn't capable of doing extremely basic security, and should be out of
business. This is the kind of company that stores your passwords in plaintext.
He doesn't seem to have done anything since he was notified either (see Phil's
comment)

~~~
elliottcarlson
Oh, I'm definitely not disagreeing that the company was irresponsible in their
coding practices and having found the previously released notices on their own
- they are certainly at fault for that negligence - and if they have indeed
been notified before, then they are even worse of a company; but I still think
the Sam didn't approach the disclosure properly, but that's just an opinion.

------
GrahamsNumber
I find Websmart's attempt at trying to put this man out of a job absolutely
disgusting. No doubt, Sam Bowne will think twice before reporting
vulnerabilities next time. Even though I'm not in any way related to this
incident, I've send Sam a thank you note because I think the web community
needs more people like him. If you want to do the same, his e-mails are in the
link, but for ease of access: sam(dot)bowne _at_ gmail, sbowne _at_
ccsf(dot)edu .

~~~
Rizz
Did they really try to put him out of work? I could not read any such thing in
the vendor's emails. Perhaps the vendor just wanted to complain to the
researcher's manager so he might receive additional training or so protocols
could be set up for handling such issues?

