PaulDotCom mailing list archives
Re: He is not evil, checked a site without authorization, found an issue...then what?
From: Robert Wesley McGrew <wesley () mcgrewsecurity com>
Date: Thu, 12 Jan 2012 15:39:45 -0600
Just make sure that he knows that if the "anonymous" report angers them in the way that you fear, it will likely be a trivial matter for them to review their logs and figure out what user has been poking around in that specific feature. -- Wesley McGrew On Thursday, January 12, 2012 at 3:27 PM, Sherif El-Deeb wrote:
it started with the usual quotation mark, but to make sure it's a real issue....well, I'm sure you know "that" feeling, again, no bad intentions at all. It's not just a "injection point, need to fix" type of report, it's a detailed one, executive summary, injection point(s), affected parameters and recommendations on how to fix. So, It's going to be an anonymous report submitted using a throw-away email account created through tor then... thank you guys for the advice, I already had the feeling that this is how it is going to be. your help is very much appreciated, needed to be sure that my advice to him is going to be the closest thing to the right thing "Damn you conscience, damn you!" Sherif. On Thu, Jan 12, 2012 at 11:52 PM, mark cunningham <markcunninghamemail () gmail com (mailto:markcunninghamemail () gmail com)> wrote:Depends how much "he" has done so far. If he stuck in a quotation mark, got an sql error and reports that, no harm done imo but if he's aimed a tool at it or started pulling out data already, then that's just plain stupid (which i gather he has) If he really wants to make things right while still covering his ass, he could register an email address and use it as a point of contact to inform the bank in case they have any further queries. Keep the alternative email so the bank have some way to contact him. Provide as much information as possible about what the bug is and how to fix it. Don't just mention "injection point , need to fix". You should probably highlight this with "Serious security hole" or the likes. It's the right thing to do and i think he should really do it despite the fact when you inform someone of this, they may start poking around the log files in which case, they'll see exactly what he has done. Had to keep going back and replacing "you" with "him" while writing this whole email Mark On Thu, Jan 12, 2012 at 8:33 PM, Sherif El-Deeb <archeldeeb () gmail com (mailto:archeldeeb () gmail com)> wrote:Hi all, I have a friend "Bob" who found a vulnerability, (SQL injection, error based -> v.fast data dumping) in a banking website that gave him access to all the customers' details among many other things, he is not evil, and he came to me for advice: 1- He know he shouldn't have done the test in the first place without authorization and he is afraid that he might get prosecuted if he reported it "happened before, right?". 2- He knows that this has to be reported because it leaves customer data exposed, and he has to act fast. 3- He would very much like to get rewarded :) not necessarily by money, a thank you letter will be just fine. I told him if we couldn't figure out a way to make sure he won't get prosecuted, He will just make the great sacrifice, be a good citizen and anonymously report it, and the only benefit he will gain will be sleeping at night feeling little better about his self knowing that because of the time and efforts he spent finding and reporting the issue, thousands and thousands of innocent people financial data are a bit more secure. any advices? Thanks in advance. Sherif Eldeeb _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com) http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com) http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Message not available
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Robert Wesley McGrew (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Bill Swearingen (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Message not available
- Re: He is not evil, checked a site without authorization, found an issue...then what? Josh More (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Sherif El-Deeb (Jan 12)
- Re: He is not evil, checked a site without authorization, found an issue...then what? Jim Halfpenny (Jan 13)