To report, or not to report.

[whowhatwhere]

Somebody here has probably been in a situation in which they've found a security flaw in someone's program or website, and they've had this decision to make about if they should report it. Generally, I would say it's a good thing to report these problems, but I've come to know first hand how computer illiterate administrators handle security breaches. To make things concise, I've found a major flaw with a large and notable American clothing and merchandise website. It is hosted in the United States, and I don't feel like being extradited as some sort of electronic terrorist like the media services turned Gary McKinnon into.
Have you ever been in a similar situation? Should I report it to an administrator of the site?

[Combuster]

I had that with one of those dutch ebay things... Someone found a leak and was spamming emails to pron from their address. Worst thing, the helpdesk consisted of computer illiterate people

[JohnnyTheDon]

Depends on how big its is. Unless it is a really big security issue, I don't think reporting it will result in anything serious (Gary McKinnon was searching for blank passwords on US military computers, not clothing store websites). But you never know with beuracrats. I could imagine a manager covering up a security flaw by claiming that you hacked their site.

Most people will believe that the only reason you would ever look for a security hole is to exploit it. It just seems to be human nature. I remember on a video game I used to play (EVE) one guy found a security flaw and reported it to the development team. They promptly banned anyone who talked about the security flaw at all in the game (not exploiting it, just about its existence) and tried to press criminal charges against the guy for trying to help them out.

[whowhatwhere]

Depends on how big its is. Unless it is a really big security issue, I don't think reporting it will result in anything serious (Gary McKinnon was searching for blank passwords on US military computers, not clothing store websites). But you never know with beuracrats. I could imagine a manager covering up a security flaw by claiming that you hacked their site.

Most people will believe that the only reason you would ever look for a security hole is to exploit it. It just seems to be human nature. I remember on a video game I used to play (EVE) one guy found a security flaw and reported it to the development team. They promptly banned anyone who talked about the security flaw at all in the game (not exploiting it, just about its existence) and tried to press criminal charges against the guy for trying to help them out.

It's big. As in, capable of bringing down their entire chain of websites big.
As for what happened with EVE, well, I may know who you were talking about. I was in with the crowd who wrecked EVE, although I stuck to Q3-based games,

[JohnnyTheDon]

Well if it is Hollister, set it off

Otherwise I would keep quiet about that. Like I said, people don't like to admit they are wrong and they do like scapegoats.

[ot=EVE]
That was actually one of the things that turned me off to the game. They handled that security breach in the worst way possible. I half expected to see 'Big Brother is Watching' when I logged in one day XD
[/ot]

[nekros]

Now that's just moronic.

[whowhatwhere]

After some further investigation, the magnitude of the problems have grown almost exponentially. It appears they have absolutely no idea about SQL injection or database user privilege separation at all, and these problems extend to the corporate master site. I have a strong feeling that if I did report this I would become the scapegoat.

[01000101]

This wreaks of script-kiddie.

If you found a problem, tell the admin so they can fix it.
If you're too afraid to do that, tell the admin anonymously.
If you're too afraid to even do that, get someone else to do it for you.

I've done this in the past, and I've never been "used as a scapegoat".

As long as you don't be an idiot about it or say things like "I was trying to hack away at your site and...", then it's all good. Admins have large egos but they are that way because of their job, they would rather know about something that saves their job.

[whowhatwhere]

This wreaks of script-kiddie.

If you found a problem, tell the admin so they can fix it.
If you're too afraid to do that, tell the admin anonymously.
If you're too afraid to even do that, get someone else to do it for you.

I've done this in the past, and I've never been "used as a scapegoat".

As long as you don't be an idiot about it or say things like "I was trying to hack away at your site and...", then it's all good. Admins have large egos but they are that way because of their job, they would rather know about something that saves their job.

That might be possible if they actually had a way to contact the administrator, but I haven't found anything so far except to contact their 'corporate headquarters' at what appears to be a resume submission email. I'll keep looking, but unfortunately it doesn't look great. As far as I can tell the domain was designed as a build-to-ship package by a private contractor.

I have reported two similar things in the past. The first time I already knew the administrator in person so things were fine. The problem started after his replacement took over and the that time however, I was not so lucky. The administrator's pride got in the way, so instead of fixing the problem I described in the emails I'd sent over a period of two months, he ignored them and let the problem sit. He didn't know anything about how to run the Debian server that he was in charge of so when things went down the shitter on the network in question (which turned out to be completely unrelated) I was blamed for the fact that I was the only one who understood the problem and the situation was blown so out of proportion with incomprehensible babble that his superiors were convinced I was at fault for every bit of computer downtime for the past five years across a 1400 mile radius.

Since then I've been fairly wary about who I talk to and what details I provide.

[nekros]

Once again, prideful shiz heads like that should burn in a pit of perpetual computer crashes with signs pointing at him saying "I'm the f***ing retard who screwed up". I am very easily angered by crap like this...

[whowhatwhere]

Once again, prideful shiz heads like that should burn in a pit of perpetual computer crashes with signs pointing at him saying "I'm the f***ing retard who screwed up". I am very easily angered by crap like this...

Tell that to the server that is still running (surprisingly)

Highlights:
Generic accounts with the same password as user name for some miscellaneous services.
All services on and publicly accessible, including ssh, mysql, ftpd.
Still runs 2.6.17-debian (vmsplice anyone?)
Uses ancient AFS/LDAP combo that doesn't support anything above single DES.
Uses DES for password hashing, as mentioned.
Doesn't use shadow passwords (userland was downgraded until ancient AFS would be happy.)
Nine tenths of the passwords are have the same hash.
Has compiler and multiple utilities.
Has full php without any restrictions, as well as Apache userdirs.


He takes home over $100K Canadian to maintain the server (that figure includes taxes) and he doesn't know anything beyond ssh logins and 'locate'.

[JackScott]

That might be possible if they actually had a way to contact the administrator, but I haven't found anything so far except to contact their 'corporate headquarters' at what appears to be a resume submission email. I'll keep looking, but unfortunately it doesn't look great. As far as I can tell the domain was designed as a build-to-ship package by a private contractor.

Have you tried running whois over the domain? Usually that gives you a technical contact you can either mail or email.

Incidentally, it's interesting how much information is found in DNS whois records. People who go to great lengths keeping private on their site, while their whois record tells me their home address, phone numbers, and so on.

[whowhatwhere]

That might be possible if they actually had a way to contact the administrator, but I haven't found anything so far except to contact their 'corporate headquarters' at what appears to be a resume submission email. I'll keep looking, but unfortunately it doesn't look great. As far as I can tell the domain was designed as a build-to-ship package by a private contractor.

Have you tried running whois over the domain? Usually that gives you a technical contact you can either mail or email.

Incidentally, it's interesting how much information is found in DNS whois records. People who go to great lengths keeping private on their site, while their whois record tells me their home address, phone numbers, and so on.

After checking their site (which is almost entirely flash based, yuck), that was the next thing I tried. It has nothing conclusive at all.