|
I recently bought some digital goods from a website. I paid online via credit card and got access to a limited resources to be downloaded. While downloading those goods, I found that just by changing the query string parameter in the URL I can download other items that I have not purchased.
How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability . I did not use them neither save them on my machine. I just discarded the download dialog box.
|
|
|
|
|
If you're worried about potential repercussions, and you have acted in good faith, I would suggest that you should just create a one off email account, and then send them the details.
|
|
|
|
|
Upvoted!
In some cases, my signature will be longer than my message...
<em style="color:red"> <b>ProgramFOX</b></em> ProgramFOX
|
|
|
|
|
Well they could still track his IP address. That said I'd think they'd be happy that he reported this to them.
|
|
|
|
|
I hesitated to mention that if he was so paranoid on it, he could visit a cyber-cafe to send the message.
|
|
|
|
|
What about the fingerprints he is going to left behind? I would suggest altering his fingers with an acid before that.
There is only one Vera Farmiga and Salma Hayek is her prophet!
Advertise here – minimum three posts per day are guaranteed.
|
|
|
|
|
And shaving his body so he doesn't leave hair behind; wouldn't want trace DNA coming back and biting him. Oh, and while he's at it, he should wear a mask to thwart video surveillance.
|
|
|
|
|
A mask will be highly suspicious, someone could call the authorities. A little face surgery, or temporally sex change, will be more appropriate given the circumstances.
There is only one Vera Farmiga and Salma Hayek is her prophet!
Advertise here – minimum three posts per day are guaranteed.
|
|
|
|
|
|
Or heavy, professional make-up.
|
|
|
|
|
Deyan Georgiev wrote: I would suggest altering his fingers with an acid before that.
after, surely!
|
|
|
|
|
Nish Sivakumar wrote: That said I'd think they'd be happy that he reported this to them.
In general that is unlikely to be true.
One can suppose any number of corporate scenarios
- Company bought the shopping cart software.
- Company contracts via another company for a shopping cart site.
- Large company with small in house development.
- Company which contracted custom site.
- Small company with large (compared to rest of company) development staff.
I suspect that only the last would be happy about it.
|
|
|
|
|
I think you should post the details on here first so we can all get what we want, maybe report it in a weeks time.
|
|
|
|
|
|
I will download other document.
|
|
|
|
|
I've come across a similar issue in the past. I asked around in a few forums, trying to figure out how to go about informing them. I never did get a solid response though. It's a tricky topic, though I'd say a false e-mail account should suffice.
djj55: Nice but may have a permission problem
Pete O'Hanlon: He has my permission to run it.
|
|
|
|
|
If I wanted to tell them (and I wouldn't) I would just send an email to whatever contact I had. If you have screenshots, so much the better.
|
|
|
|
|
aspnet_regiis -i wrote: How can I inform the website owners about this vulnerability? Will the website owner charge me with the offense of hacking since the goods I did not pay for were downloaded on my machine when I was testing this vulnerability .
If I was the owner of the website I'd give you free downloads for life for showing me the vulnerability
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
I wish I remembered the article I read a few weeks (months) back. Basically, it was about a guy being charged for hacking because he changed the URL parameters when he visited a site.
So, be careful with your decision.
The laws are so strict and the punishments are so harsh now (e.g. Aaron Swartz) that I am even afraid to post anything on the web.
|
|
|
|
|
Oh my God.. Did I make a mistake by posting this ? Should I remove it...?
|
|
|
|
|
Don't be afraid of being sued. Just be anonymous in your dealings.
Tor Mail can help you, as it is untraceable.
http://tormail.org/[^]
I am signature, here me roar.
|
|
|
|
|
You can be charged for anything, getting convicted would hopefully be impossible for such a scenario!
|
|
|
|
|
Several years back I was on a jury, the defendant was charged with the distribution of marijuana.
Of the twelve jurors, 10 figured the defendant was guilty by reason of being charged, and were not moved by the overwhelming lack of evidence to support the charge. Such as the lack of audio video that demonstrated the defendant selling to a police officer. The only evidence to prove the case was marijuana paraphernalia, and a pound of uncleaned marijuana stored in the freezer which the defendant claimed to be for personal use.
Based on his after trial statements, that pound of marijuana amounted to a months supply which is not entirely unreasonable. Smokers will store a carton of cigarettes in the freezer to maintain freshness.
When the only of the two arresting officers that showed up for the trial was asked why an officer was not able to purchase marijuana from the defendant, the officer said "He was to good." In addition to this, the officer testified that; "Based on his professional opinion, no one would have that much marijuana unless they were distributing it."
After the trial, the Prosecuting attorney and the officer came into the jury room to question the jury as to why the defendant was found guilty of the lesser charge of possession, a misdemeanor rather than the distribution charge which carried a mandatory life sentence. I made the following statement: "That could be a good party." The officer responded: "If you could assume that, you could have found him guilty."
Not to many will miss the officers assertion, but in case you did: The officer expected a guilty verdict not because of evidence presented, but because of assumptions made.
The other juror, which seen the same lack of evidence as I did happened to be an attorney.
On the second day of deliberations, I told the jury straight out that I would not find the defendant guilty of distribution because there was no evidence to support the charge. Possession however, was obvious.
This case should not have even gone to trial, it should have been plead out.
So sad to tell you but, if you end up with a jury of 12 unthinking people who believe that only guilty people get charged with crimes, you are going to jail.
|
|
|
|
|
This? Somewhat similar to what you're talking about.
|
|
|
|
|
How about posting an anonymous letter with the details about the venerability , may be from a different state or something so that there won't be a trace. Still don't recommend anonymous emails because you never know that can be easily traceable through your IP Address.
Thanks,
Ranjan.D
|
|
|
|