The Lounge is rated PG. If you're about to post something you wouldn't want your
kid sister to read then don't post it. No flame wars, no abusive conduct, no programming
questions and please don't post ads.
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased.
How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
That said I'd think they'd be happy that he reported this to them.
In general that is unlikely to be true.
One can suppose any number of corporate scenarios
- Company bought the shopping cart software.
- Company contracts via another company for a shopping cart site.
- Large company with small in house development.
- Company which contracted custom site.
- Small company with large (compared to rest of company) development staff.
I suspect that only the last would be happy about it.
I've come across a similar issue in the past. I asked around in a few forums, trying to figure out how to go about informing them. I never did get a solid response though. It's a tricky topic, though I'd say a false e-mail account should suffice.
djj55: Nice but may have a permission problem
Pete O'Hanlon: He has my permission to run it.
How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability .
If I was the owner of the website I'd give you free downloads for life for showing me the vulnerability
“That which can be asserted without evidence, can be dismissed without evidence.”
Several years back I was on a jury, the defendant was charged with the distribution of marijuana.
Of the twelve jurors, 10 figured the defendant was guilty by reason of being charged, and were not moved by the overwhelming lack of evidence to support the charge. Such as the lack of audio video that demonstrated the defendant selling to a police officer. The only evidence to prove the case was marijuana paraphernalia, and a pound of uncleaned marijuana stored in the freezer which the defendant claimed to be for personal use.
Based on his after trial statements, that pound of marijuana amounted to a months supply which is not entirely unreasonable. Smokers will store a carton of cigarettes in the freezer to maintain freshness.
When the only of the two arresting officers that showed up for the trial was asked why an officer was not able to purchase marijuana from the defendant, the officer said "He was to good." In addition to this, the officer testified that; "Based on his professional opinion, no one would have that much marijuana unless they were distributing it."
After the trial, the Prosecuting attorney and the officer came into the jury room to question the jury as to why the defendant was found guilty of the lesser charge of possession, a misdemeanor rather than the distribution charge which carried a mandatory life sentence. I made the following statement: "That could be a good party." The officer responded: "If you could assume that, you could have found him guilty."
Not to many will miss the officers assertion, but in case you did: The officer expected a guilty verdict not because of evidence presented, but because of assumptions made.
The other juror, which seen the same lack of evidence as I did happened to be an attorney.
On the second day of deliberations, I told the jury straight out that I would not find the defendant guilty of distribution because there was no evidence to support the charge. Possession however, was obvious.
This case should not have even gone to trial, it should have been plead out.
So sad to tell you but, if you end up with a jury of 12 unthinking people who believe that only guilty people get charged with crimes, you are going to jail.
How about posting an anonymous letter with the details about the venerability , may be from a different state or something so that there won't be a trace. Still don't recommend anonymous emails because you never know that can be easily traceable through your IP Address.
Thank you for the advice Ranjan ... But after reading all the replies , I have come to a conclusion that honesty can get me killed... Why take chances? Let other people enjoy the free goods. Since those are digital good, it will never run out-of-stock...
One option is to send your email via proxy. Not the internet kind but the classic kind. If you have a friend who lives out of state or even better out of the country, better yet a lawyer, just send your message to them and get them to copy and paste it into a new email, to trash the headers. That way your friend can honestly say it wasn't him but he is just informing them on behalf of another concerned friend of his/hers. This way your friend has absolutely no connection with the site, make sure they haven't purchased something from them before, and you are safe because your friend wouldn't tell them who you are ... even when their pulling your friends fingernails out.
This even seems to be a little much because, as it was pointed out before, the website owner/developer will sure be happy someone pointed it out instead of posting the details online and costing them potentially thousands of dollars in lost sales.
Don't comment your code - it was hard to write, it should be hard to read!
I saw something similar on a beverage company's website once. You gave them a username and password to log in. Once you did you saw &clientID=123 in the URL. By changing this you could see ANY of their other clients information and place orders for them.
Does Bob in Connecticut need $1200 of french roast? Only one way to find out...