

Ask HN: How to disclose a phishing vulnerability - youngian

I am hacking together a proof-of-concept of a phishing attack on the sites of some financial institutions (mostly to make a rhetorical point). Frankly, it's not rocket science. I imagine if the phishers wanted to, they could have developed this technique by now. But I haven't found any record of this particular type of attack being disclosed to the public.<p>So: am I obliged to treat this like a security vulnerability? Warn said institutions of the problem, give them a grace period to make changes, all that? Or should I just announce it publicly? Morally, what's the right thing to do? Legally, am I on any shaky ground one way or the other?<p>Oh, I should also mention that I have no expectation of this information actually convincing said institutions to change their ways. It's not like an open port on their server or something, and I am guessing they've sunk plenty of money into their system and aren't going to revamp it because of one windbag on the internet. Honestly, I'm concerned that if they give any response at all, it will be to threaten me with legal action or something if I don't keep it quiet.
======
TallGuyShort
I'll second the question, but for a different reason. I once noticed a
vulnerability on Facebook, and as a responsible citizen, took screenshots of
what was happening and wrote a friendly email explaining how it could be used
to compromise another user. I explained that I had just stumbled across the
problem and wanted to be sure they knew it was there, and how to fix it.

Their response was to lock my account for a day for "suspicious activity".
Once they unlocked it, they changed my password and informed me that I must
have carelessly given my credentials to an attacker (which had nothing to do
with the problem I reported). Their email was extremely rude and threatening.
As a result, I would never dare inform the financial institutions of their
problems unless I worked for their security team, for fear of being
prosecuted. So as a follow-up question: what has been the response you've
received in the past from such action? And indeed, how do you avoid coming
across as a malicious hacker?

~~~
mbrubeck
That's a good point that I didn't think of in my earlier reply. If you
disclose - either privately or publicly - be prepared for the chance of a
litigious response. If you can publish a generic example that isn't tied to
any particular site or institution, it might help avoid this.

~~~
youngian
Is the generic-ness meaningful on legal grounds, or just giving you better
odds that no one will take it personally, panic, and call in the lawyers? I'm
assuming the latter, since I imagine most litigation that arises in situations
like this is more about trying to sweep it under the rug than an actual legal
case.

~~~
mbrubeck
Yeah, I was thinking the latter.

------
mbrubeck
You might be right that the institutions won't take a phishing exploit
seriously - after all, phishing is easy enough to pull off against most sites
without exploiting any specific vulnerabilities (just send an email saying
"Please respond with your SSN and password"). But what I would do is to send
details to the vulnerable sites, and tell them you'll publish them in 30 days.
If they respond and ask for more time for a fix, you can give it to them.
Probably they won't respond, and then you can just go public knowing that
you've done your best.

------
technophillia
How is a phishing vulnerability based off a singular site? Phishing are just
tricks How is a phishing vulnerability based off a singular site? Phishing are
just tricks to get the user to give you their credentials in belief you are
the site in some way (staff, admin, etc.). It's basically social engineering,
how exactly is yours specific to this site? There's nothing you can really do
to prevent a phishing attack against your site via defensive programming.to
get the user to give you their credentials in belief you are the site in some
way (staff, admin, etc.). It's basically social engineering, how exactly is
yours specific to this site? There's nothing you can really do to prevent a
phishing attack against your site via defensive programming.

~~~
youngian
This is an attack that circumvents a specific anti-phishing mechanism these
sites use. So while obviously other types of phishing attacks are possible
against these sites, this one is more dangerous and is targeted at certain
sites in particular.

