Is it possible to legally benefit from discovered exploit?
CuriousOne
Posts: 931
Say there's certain online store, huge store. Say I've found out how to view content of other people's carts and their contact & transactions info (no cc or pp data). If I'll just inform store about this problem, what I'll get is thank you, which I believe is not worth the effort I've spent when discovering this exploit. On the other hand, I surely can sell this exploit to crimes (have no idea how) but I'm not going in this way anyways. So what you'd suggest me to do?
Comments
There is also the negative reaction. "You found it, now we are screwed, so it's YOUR fault..." lawsuit city.
I would research them to see what kind of people they are. From there decide whether to straight up inform them with a request for response on their part. Or submit anonymous... maybe send to a major tech Publication? Ars Technica would very likely just act on that kind of thing and they would be more insulated too, as well as more noted.
Now that I think about it, I would go the journalist route.
I wouldn't sell it to criminals, making it pretty worthless. It would be about properly notifing the right people and having them address it than it would be anything else.
Let's say you have found a security issue with their store.
That probably means you have tested the exploit, at least once
That could be construed as breaking into their store. You have hacked them
Expect a visit from the FBI shortly.
People have gotten into hot water over this kind of thing. Sadly I can't think of any links to such stories just now.
This dilemma is highly likely to be driving the payment programs some entities have put out there.
What you have done is somewhat equivalent to spending a lot of time and effort trying all the doors and windows on my house (or shop or factory...) until you found one that you can gain entry with, perhaps also disabling my alarms whilst you are at it.
Not only that you did enter.
Having broken into my property you make matters worse by demand money from me before you tell me where the problem is.
We all live in typical houses, and worried by security, I've spent many hours discovering possible flaws, which will allow anyone to enter my house without my consent. So what should I do? out to street and start shouting - peeps, your homes are insecure, or contact contractor who built all these houses, to fix the flaw?
I had a similar situation when the internet was new, and found a way to change someone's web page content.... just to confirm my findings I bet a coworker that I could change the wording on his personal web page. After testing/proving my point with him, I reported it to the internet provider I was using at the time and they promptly fixed the problem. ... Turns out the permissions were not being set correctly and once you logged into your account with a valid username and password, you could back-url your way into any other account.
My advice, just be honest about your findings and don't follow the temptation of any monetary gain, that will just create trouble.
About the only way to protect yourself is to have an attorney approach them, but even than is likely to leave the wrong impression and be costly.
Either just report that your own account is not secure and leave it at that.
Do you mind sharing which vulnerability found? Did you use penetration tools crawlers, proxies, and such? Or did ya do it the old fashion way?
BTW, there's no such thing as a secure site. There's only levels of protection.
Be careful.
Duane J
I'm sorry, but the comparison does NOT work.
This is akin to renting a room or something, and getting a key to access that service
(for steroid-house, maybe... )
and then finding out that if you file a bit on it, you can use someone else's locker instead of your own.
Or making unauthorized copies of the key. Sure, it only opens YOUR locker, but s it really your locker, or the studios?
Generally, there's a couple of rules to remember when investigating security flaws:
1. Don't!
2. Not even if it's your account.
3. Yes, even so...
If you believe there's a security issue on a site you're using, write down anything you have of information on it, clearly and concisely, and explain why you THINK it may be an issue.
If you don't hear back within reasonable time, it's OK to send another message, but don't send daily floods...
If you don't get an answer to your follow-up or they deny there's a problem, then you may drop a hint to the relevant news sites.
But whatever you do, DO NOT attempt to test this out yourself.
Without an explicit permission from the site owner, it's likely to introduce you to some humourless people in cheap suits.
We can argue about analogies all day. None of them are very good, that's in the way of analogies.
My point really is just a warning to be careful because historically many people have gotten into expensive legal trouble with this sort of thing. I hope someone can link to a story or two for you eventually.
Fortunately attitudes have changed for the good in some quarters recently. Some companies have realized that perhaps its a better idea to fix security issues than start suing the people who tell tell them, or the world, about them
To this end we see recently start to see companies offering rewards for information on exploits.
If nothing else, if it's a really good and clever hack you could give a presentation about it at DEF-CON this year and become a famous rock star hacker
I presume that you consider your skill set worth getting paid for such things, but you don't have the protection of a professional firm behind you.
This chat may lead you to finding a right way to get on a safe and sane career track rather than off in the weeds of self-promotion.
http://www.dagbladet.no/2014/01/06/nyheter/nullctrl/shodan/english/english_versions/30861347/
basically, two ordinary journalists(No geek superpowers at all) using Shodan to sniff out unsecured systems...
And the stuff they found is rather scary.
A. Never leave a computer on when I don't need to use it; especially when connected to the internet.
B. Keep my internet accounts with sensitive information to a bare minimum -- less than six, preferably less than three.
I don't even have an ATM card with any of my banks as I strongly distrust them. The ones in Taiwan frequently failed to issue cash and you were left with a merry chase to get the bank to correct the fault. My mother's in the USA had nearly $100,000 USD absonded through it (likely by other members of my own family) and the bank refused to acknoledge any responsiblity.
I simple prefer face-to-face monetary transactions as a means of keeping honest people honest.
Assume whatever you say or post on the internet can and will be used against you. Assume your public behavior is being photographed. That is just today's world.
This is what you are up against:
http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html
http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/
Be careful.
If you're still stuck on what to do with your discovery, allow me to put you in contact with a friend who also could give you some proper, earnest advice in a personal fashion where you could ask all kinds of questions you may not want to post here on the forums. From our prior DEFCON experience with the Propeller badge I became acquainted with a few very helpful people, and the one I'm thinking of would certainly talk to you in confidence at my request. I've known him for 15 years and would place my trust in his opinion.
Ken Gracey
And look at Ken wearing a nice, spiffy new banner.
Thanks potatohead. [Autocorrect likes to turn your name into two words]. Big things are about to happen this year and we appreciate your support.
Yeah, I think you are onto something very cool here Ken.
The old bait-and-switch. This type of scam/con is pulled off by so many types of "companies" and criminals alike. Reminds me of a Ponzi Scheme I read about some years back about a guy in Florida. Sadly I cannot recall it (the story) as it was just a random thing in the news some time ago.
CuriousOne,
BTW) I did give my friend a heads up, as far as putting you in contact with him and he said absolutely .... So if you would like to pursue that option just email me your info and I will forward that to him.
DC405 info for anyone else that might have a question but are too afraid to ask. All of the guys at DC405 are very friendly and knowledgeable.
http://www.dc405.org/
http://www.youtube.com/watch?v=bC-bYbUUr4U
Everything depends on what you did to achieve the result. I would image if the question of legality comes up you may have done something questionable. If that is the case it's a gamble on what will happen. Personally, I'd tell them anonymously and walk away.
Here is some reading material, broken down by state - http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx
As mentioned earlier, be careful. Regardless of the laws, it really boils down to how "they" are going to deal with what you discovered. Catch someone in bad mood on the wrong day and it's a felony.
The best way to approach the situation is contact them and ask if you can try to hack their site. If they give you permission, wait a couple days and share your findings. If they do not, forget about it, it's not your problem.
Many keep history files of addresses pinging their system. (Or what ever it's called.)
Duane J
That is true.
I am banking them trying to parse a huge log to look for something that they don't know what they're looking for. Forget it if they're running SQL or IIS, chances are the log only goes back a couple days and nowhere near verbose enough to track you down. They might have a syslog server full of snmp events at the gateway, if you're poking around there but same deal even after you filter out all the Smile coming from other countries you're looking at a ton of data.
If there was intrusion detection that he set off it would have blocked his IP and notified his ISP by now I would guess.
OK, regarding the "exploit", how I found it.
First of all, I'm not a "security expert", "hacker" or whatsoever. My programming skills are quite limited (as you can see from my other posts), but I have background of working for 30 years in IT industry, so I know and understand how many things worked here. Previously, I've discovered several bugs in Windows 2000, which I've sent to MS and they've fixed in SP3 for windows 2000. So far, this is my contribution to exploiting and so on
I'm doing some kind of datalogger, using BS2, which will send data to PC. I have parallax memory stick datalogger up and running, but it is expensive, so I for testing purposes, I've taken USB numeric keypad, and wired it to BS2 in such way, that stamp will send keypresses to PC, where the software, written in VB, will capture the keypresses and build a graph/save a file according to them.
One day, I was browsing that site, and decided to sort up wish list, which became very huge, so I decided to make several new ones, sorted by thematics. I've turned off the datalogger software previously, but forgot to power down the datalogger hardware itself. So, when entering name for wish list, two things happenned - I've accidentially pressed the ALT key and datalogger software sent in some keypresses. Which visually showed up as certain weird characters in wish list name. Just for curiosity, I've pressed OK, to see if system will accept these strange symbols as name - it accepted. Considered as funny thing, I've started moving items from other wish list to this one, but when entering it again, I saw that I'm seeing items in wish list, that aren't mine! From my understanding, this is some kind of unicode character parsing bug.
Regarding what I'm going to do, I haven't decided yet, since I had no time to think a lot about it. This month later maybe I'll come up with some decision.
(Wondering is the system will accept a 'weird' name on a list, that is)
I would have explained to the site owners what happened, and what you think is going on. Be specific.
Don't do anything with the list, though. Don't try to rename it, add to it, remove items from it, or heavens forbid, delete it.
There's no way of telling what will happen to your or other users accounts...