

Ask HN: Found security flaw in site, what should I do? - asmithmd1

I found an obvious security flaw in the site of a regional business that serves 10's of thousands of customers a month - think a hotel room or airline ticket.  Just change the sequential transaction id in the URL and you can see all the details of any transaction (with the exception of credit card number) for the past year.  Even worse you can change any reservation before it is used.<p>What should I do?  Is there a standard protocol about notifying the company before going public?  Is there a group who I can report the flaw to who will notify the company?  I am not any kind of security researcher and don't want to get accused of hacking
======
cperciva
As _underwater_ said, the "responsible" approach is to notify companies and
give them sufficient time to fix the problem. Sometimes this is challenging,
due to difficulties in establishing contact with the right people or
difficulties in convincing them that the issue is serious; in such cases it
might be useful to work with someone who has experience in the field -- I'm
happy to help if you want.

Generally speaking, as long as you didn't do any more than was necessary to
confirm that the issue existed, you're not likely to be accused of wrongdoing;
working with/via someone who is recognized in the field would diminish this
possibility even further, since "hey, you guys are evil" tends to be defeated
very quickly by "this guy has handled lots of issues like this and nobody has
ever accused him of wanting anything more than to get the issues fixed".

Just be very careful to make sure that you don't ask for money in any way
(including asking them to hire you as a consultant). The best of motives can
be very quickly misconstrued when the word "blackmail" comes up.

------
elviejo
I think what is normal is to let the company know first. And also give them a
test they can reproduce with the bug and also a deadline in which you are
going to make public the security bug you have done. The deadline is because
many companies ignore the problem until is public.

This opinion comes from reading this Chris Shifflet's article:
<http://shiflett.org/blog/2007/mar/my-amazon-anniversary> "On this day last
year, I informed Amazon about a pretty serious vulnerability and demonstrated
it with a few examples and a detailed description. In the description, I
explained how to exploit the infamous "1-Click" feature, causing victims to
purchase items of my choosing without their knowledge or consent, and I
stressed that the scope of the problem extended beyond my benign examples.
After some mild prodding, I finally received a reply letting me know that my
email had been received, the vulnerability had been verified, and Amazon
considered fixing it a top priority.""

------
underwater
Google "responsible disclosure". The normal process is to inform their
security contact (or more likely tech support), give them a number of weeks to
reply and sufficient time to fix the issue. After you've given them a chance
to address the issue feel free to publish a report.

------
benologist
I would phone them or make a disposable email and warn them, that way if they
take the news bad they'll have a hard time hunting you down. I can't imagine
why they would react badly to that in light of all the recent security issues
in the media, but there's all kinds of jerks in this world.

------
askar_yu
Why don't you send an e-mail to the webmaster of the site?

If you're concerned that the company may misunderstand your intent and take
some legal action against you, may be you could send an anonymous e-mail...

~~~
sid0
...and possibly include a commitment so that you can take credit for it after
it's fixed? :)

------
autalpha
True story that happened to me: while trying to look up information for a
restaurant reservation, I found some security issue that would redirect user
to an obscure host name. I think it was an issue of bad DNS setup with their
web hosting provider. In any case, being the helpful and detail-oriented web
guy, I sent their head quarter's team an email with the detail of what's wrong
and a solution that should fix it. I got an email from them the next morning,
and since I started my email with "While I was looking up information for a
reservation..." the person arranged the reservation for me. So I thought that
was that. But after the meal was done, the owner came out and thanked me
personally and took care of all our drinks. And since it was a
Brewery/restaurant, the beer tasted a bit sweeter :)

I've also sent another email to a small online belt buckle shop to notify them
of the insecure way they were setting up Paypal on their site (again, the
steps to reproduce the problem and steps to fix it). The owner emailed me back
to thanked me as well as taking care of the order personally. You know, most
people are just happy that you are giving them some help. Being in the hacking
community, I would imagine that everyone is the same here--most of us are
(overly) helpful individuals. It's in our genes. So don't fight it and do the
nice thing of sending them the steps to reproduce the problem and ways you can
fix it. If you feel that you should protect your anonymity, do it. But do
notify them :)

If one of these days, when I make an obvious security problem, I would hope,
that one of us here would shoot me an email so I can fix it immediately. And I
will promise to do the same.

------
achivetta
"Hi there, I was retyping a link to my invoice and screwed up a digit. It took
to someone else's page, which seems odd. For example, my link was <link> and I
accidentally typed <other link>. Not sure if this is a problem or anything, so
I just wanted to bring it to your attention. I'm not sure if this is the right
place to email, so please let me know that you get this."

When you make strong statements, other people often have a tendency to react
strongly and defensively. I assume that the person at the other end is both
competent and concerned - give them all benefits of the doubt.

If you find that isn't the case, then, and only then, you can email them and
use the word "security" and talk about going public after n weeks, etc.

(I am not a lawyer.)

------
desushil
Simply inform them about the issue you have just seen. I wonder why would they
want to think you other wise as you are just trying to help? But for the worst
case, consider keeping all of your records. Just be true to yourself what you
have seen and say them to solve it. If you know how to solve, possibly, you
can ask them some money saying you can fix it.

------
elliptical
In the age of any website getting hacked, take your steps carefully. But then
dont make a business of this discovery, but assist. go ahead inform them by
phone call, keep logs of your conversation.

------
jvoorhis
Emailing the webmaster is a good way to begin. Try security@domain and hope
someone checks the catchall inbox. Learn about best practices for responsible
disclosure if you want to escalate.

------
cheez
Just use whatever contact they have on the website.

Dear <company> website team,

I am a security consultant for <my new company I made 10 seconds ago>.

While casually visiting your site, I recently found a severe security bug that
not only leaks private information, but has the potential to alter a user's
reservations.

Please contact me as soon as possible so I can let your technical team know
about the problem (no charge, of course).

Thanks,

Me Security Consultant, <new company> <phone #>

Might as well try to get some business out of it ;-)

------
avstraliitski
I found one of these and notified the IT manager of the company. It wasn't
hard to get them on the phone. Then I got free stuff and many thanks in
return, plus warm fuzzies.

------
rounak
Hand it over to LulzSec

------
whalesalad
Call lulzsec as fast as you possibly can! /sarcasm

