The Ethical Hacker Network - Disclosing web application issue

millwalll

Guest

« on: April 02, 2012, 10:18:54 AM »

Hi all,

Recently I have been searching the web as you do and notice a lot of issue on sites I have visited like:

Password being stored in plain text
user enumeration
credit cards not stored correctly

so on

I just want to find out if this was you would you disclose them or just ignore because it not worth the hassle ? also how would you disclose them I have sent email asking if they have security team but no reply so far.


	Logged

hayabusa

Hero Member

Offline

Posts: 1633

Re: Disclosing web application issue

« Reply #1 on: April 02, 2012, 10:40:51 AM »

Just curious, Jamie...

How are you finding these issues? How is it you know where things are stored, and how they're stored?

This isn't exactly something you should randomly be looking at websites for, if you're not asked / contracted to...

That said, depending on the site, you could contact them to resolve it. However, be warned that they might wonder why you were poking around their site to begin with. Some folks might not take your actions lightly, even if well-intentioned... So it's up to you.


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

ziggy_567

Sr. Member

Offline

Posts: 361

Re: Disclosing web application issue

« Reply #2 on: April 02, 2012, 10:44:43 AM »

I would also be hesitant to start the conversation with, "Do you guys have a security team?"

That would, first of all, put me on the defensive from the get-go. Secondly, I'd probably expect to hear you say something along the lines of, "Well, if you don't, I can help you out." After disclosing a security vulnerability unsolicited, this can be construed as unethical behavior.


	Logged

--
Ziggy

eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+

millwalll

Guest

Re: Disclosing web application issue

« Reply #3 on: April 02, 2012, 11:43:23 AM »

well I was using a site but forgot my password and noticed it got sent to me as plain text so would be a really good indication that they not being encrypted in database.

and again was using a site with my username but could not remember my password noticed the error message telling me username was valid but password was not and on same site I decide to see what info they had on me saw the bit to add credit card so made a number up to see and when I went back into it the whole number was on show not even like **********1234 so would assume they storing CC wrong

so was not really looking for the issue they just stood out when using the normal features of the site.

I feel as ethical hacker I should tell them but on the other side I feel they think I am after something or been trying own them or something and end up doing more hard than good.


	Logged

hayabusa

Hero Member

Offline

Posts: 1633

Re: Disclosing web application issue

« Reply #4 on: April 02, 2012, 11:56:56 AM »

I was hoping your reasons were as such.

Either way, it's up to you if you want to discuss with them, or not. Again, just note, that if you weren't asked or contracted to analyze them, you'd better be ready to play really dumb when they ask you why you were posting dummy credit card numbers, etc. They could 'possibly' interpret that as credit card fraud, as well. (Depending on where you stored it, and why...)

Just be cautious...


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

millwalll

Guest

Re: Disclosing web application issue

« Reply #5 on: April 02, 2012, 11:59:06 AM »

Yah that why I wanted to get some advice as didn't want put my two feet in it and end up getting into trouble for trying to be helpful.


	Logged

MaXe

Hero Member

Offline

Posts: 669

I've just upgraded myself to a cyborg muahahaa!!1

Re: Disclosing web application issue

« Reply #6 on: April 04, 2012, 12:40:42 PM »

I suggest you contact them in an officially looking e-mail where you point out that you haven't attacked them but rather observed how their website function and that the current structure is insecure. Make sure you point out you're doing it for free and that you're not selling any services. (Otherwise they might see it as blackmail, I've experienced that on a few occasions where I even stated it was free.)

Also, you can write to the webmaster or perhaps if they have a security department those as well, but usually you get the fastest response and activity via HR. When I've contacted administrators directly I've mostly been met with hatred or ignorance. In some cases my direct contact with e.g., the webmaster has been much appreciated though.

Some companies may take this as a personal insult or attack as well, so be prepared for whatever response they come up. Some will also say they're going to fix it, and then it won't get fixed, even a year after, and we're talking about quite serious vulnerabilities here too.


	Logged

I'm an InterN0T'er

Pages: [1] Go Up

« previous next »