The Lounge is rated PG. If you're about to post something you wouldn't want your
kid sister to read then don't post it. No flame wars, no abusive conduct, no programming
questions and please don't post ads.
Lobster Thermidor aux crevettes with a Mornay sauce, served in a Provençale manner with shallots and aubergines, garnished with truffle pate, brandy and a fried egg on top and Spam - Monty Python Spam Sketch
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased.
How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
That said I'd think they'd be happy that he reported this to them.
In general that is unlikely to be true.
One can suppose any number of corporate scenarios
- Company bought the shopping cart software.
- Company contracts via another company for a shopping cart site.
- Large company with small in house development.
- Company which contracted custom site.
- Small company with large (compared to rest of company) development staff.
I suspect that only the last would be happy about it.
I've come across a similar issue in the past. I asked around in a few forums, trying to figure out how to go about informing them. I never did get a solid response though. It's a tricky topic, though I'd say a false e-mail account should suffice.
djj55: Nice but may have a permission problem
Pete O'Hanlon: He has my permission to run it.
How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability .
If I was the owner of the website I'd give you free downloads for life for showing me the vulnerability
“That which can be asserted without evidence, can be dismissed without evidence.”