|
Nice pick .. It is possible.... But I have not mentioned any reference to the site anywhere in my question or in the replies
|
|
|
|
|
How about a good old fashioned letter, as a concerned citizen. Preferably after obtaining some 'advice' from a local advice bureau, or friendly lawyer, so that you have documentary evidence of being being on the good side.
Sending an email is just more proof of misuse of your computer
|
|
|
|
|
the last guy who did it was sued here in Brazil, but the case was dropped.
you'd be better off leaving some authority in security know about it, I'm sure there are companies in your country who do penetration testing, they are your best bet.
you can also find on the website of the brand developer, if it is a site developed by a consultant, they probably left the contact at some point ... the consultancy for sure would be happy if you take the case to them and not the customer.
I'm brazilian and english (well, human languages in general) aren't my best skill, so, sorry by my english. (if you want we can speak in C# or VB.Net =p)
|
|
|
|
|
Just tell them.
If you get an ungrateful response, you can hammer the Hell out of them on message boards and by informing news sites/agencies.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Seriously, I think people here worry about it too much.
Simply send them a friendly email, keep a copy of it so that if anything ensues you can prove you were acting in good faith.
Only problem I can foresee is if you already took advantage to download something.
|
|
|
|
|
Not sure what might happen. You never can tell.
A kid in Canada recently reported to the college he was attending that there was a flaw in their software that leaked personal information for all their students. He was expelled.
|
|
|
|
|
oops.... I should keep quiet then... better for me
|
|
|
|
|
Actually, he was excluded after...
1. He reported the fault.
2. The college warned him not to carry on attempting.
3. He attempted to penetrate the system using industrial grade penetration software.
It was at this stage they felt it necessary to exclude him.
He also received various warnings following the college's formal exclusion procedures.
So, if you report it and they ask you not to carry on, best not.
|
|
|
|
|
The kid in question was probing a service which was making it possible for anybody to find out his personal details.
If after being expelled for trying to break into the service a second time he succeeded, I'd argue he has a strong case to sue the college for recklessly and carelessly handling his and other thousands of students' personal data. If I was him, I'd obviously talk to a lawyer.
|
|
|
|
|
Rob Grainger wrote: 2. The college warned him not to carry on attempting.
Could you post the link that says that?
Rob Grainger wrote: He also received various warnings following the college's formal exclusion procedures.
Could you post the link that says that?
|
|
|
|
|
Post the name of the site here [anonymously?].
One of us will volunteer to tell them.
|
|
|
|
|
Document your findings, but do not explain exactly how you discovered the vulnerability. If possible, contact the company via email and telephone. I would first attempt to contact them via phone and explain that you've discovered a security vulnerability on their website. If they appear to lack interest, tell them no more. If they appear genuinely concerned, explain what you found (again though not how you found it) and why it’s a concern. If you’re paranoid, call them from a phone you do not own and do not give them your personal information.
|
|
|
|
|
|
It's sad that people are prosecuted for trying to help. Here are some ideas.
1. Go to a cyber cafe.
2. Don't use your real name.
3. Change your computer name to something unrelated to your real identity.
4. Override your MAC address
5. Connect to the cyber cafe internet.
6. Use a temporary email account
7. Send the company an email and explain the problem. I would be honest about the steps you took to conceal your identity and the reason why you did it.
8. After the email, put everything on your computer back the way it was.
|
|
|
|
|
1. Put together a big document that includes screen shots and everything they need to know.
You could mention that a similar copy will be mailed to a news organization in X months if you think it warrants immediate attention. This case did not sound like it.
Fake CC or really CC some government agency if appropriate.
2. Print the document.
3. Go to a very busy copy center, wear a hat and a fake mustache(wig if female), make a copy (or threee) of your print document. Use (clean) salad tongs to remove the copies from the output tray and put them into the finger-print free mailer(s).
4. Use snail mail to mail the physical copies to the vendor.
5. Burn Originals
6. Reformat Hard Drive.
7. Change Internet Providers.
8. If they really do their job, you should expect a new charge on your credit card for the additional items you downloaded. (Good reason to always use gift cards with iffy shopping carts)
They may not really care unless they catch someone else downloading all of their content and selling it on a different site.
|
|
|
|
|
My god..Its so scary.... I am not a criminal to do all these things fluently.. I dont want to do this and get caught for some silly mistake.. Instead I will refrain from informing them....That a million times easier...
|
|
|
|
|
Definitely do 1,2 and 4. Item 3 optional. You'd think that vendor would really like to know about the vulnerability. Really stupid (lazy) design if only URL hack gets you to unauthorized content. Vendor should fire web designer.
|
|
|
|
|
how about a phone call? from a land line.
don't say what you did or didn't do, just tell someone it *looks* vulnerable and why, and to pass along the message to whoever might care.
|
|
|
|
|
I have done this several times, notifying people of SQL injection vulnerabilities and so on. In one case, it was with a desktop app - their "create a chat room" portion of the app allowed SQL injection. They were happy that I notified them in that case. In the case of a few web sites, I never heard anything back from them but the email didn't bounce. I think you could defend this behavior in court IF you didn't take advantage of the vulnerability.
|
|
|
|
|
Which porn site was it?? *readies pen*
Michael J. Collins
Web Application Programmer
|
|
|
|
|
|
Testing a website's defences without their permission doesn't benefit you in any way and can only harm you. If I were you, I'd just forget I ever figured this out. If they came after me, I'd make them prove I actually stole anything, which since you didn't, they'd be hard pressed to prove.
Just don't do it again to anybody and you should be fine.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
|
|
|
|
|
Thank you for the advice.. My 5.. I will follow your advice..Its the most beneficial for me
|
|
|
|
|
|
I have two solutions for you.
First be partially honest. Email them and inform them that you have found a hole in their website that allows free downloads of their material. DO NOT tell them that you have already done this. Tell them you can point this out for them but you want indemnity. Then once they agree point out the flaw and what you did.
If that sounds a bit too complex and time consuming my next suggestion is to take the Darwinism approach.
Post the vulnerability on some less that reputable sites and let nature take its course. Either they will find the hole themselves and fix it, or lose so much revenue that they will have to shut up shop.
|
|
|
|