• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Major security flaw on a web site

logical muse

LogMu
logical muse
Joined
Oct 24, 2005
Messages
2,050
I recently discovered that a particular web site has a deeply flawed security system, allowing anybody to log in as any of the registered members without using a password.

Once logged in, not only are you able to access and modify all of that member's information, and in fact perform all the functions on the site as that member, you can also see their email address and the password for this particular web site.

Now, it gets worse (or better, depending on your evil-threshold). A lot of people use the same password for all their accounts, so in many cases you can log in to their email accounts using the password for the site under discussion.

Once in their email account, well, you can get to their myspace, facebook, ebay, paypal, photobucket, and everything else.

This is bad, right?

So I emailed the web site, using their contact email address. I offered to help fix their security. It's something I know how to do. They didn't respond.

In the last few weeks I've emailed them at every email address of theirs I could find. Still no response.

In the meantime, I wrote a script to trawl through all their member accounts, retrieving email addresses and passwords. I don't believe this is illegal, as the pages for these accounts are accessible by simply typing this into the address bar of your browser:

thedodgysiteinquestion.com/login.php?accountnumber=1

Change the account number and you are logged in to a different account. This is a publicly accessible URL, so I think I'm legally entitled to view the page(s) it links to.

I really want to fix this security flaw, but the site owners are ignoring me.

Any suggestions? I've thought of emailing some, or all, of the members, explaining exactly how I got their email addresses and urging them to take it up with the site owners. Do you think that's a reasonable approach?

eta: I should add that the site owners have been aware of this problem since last year, and have done nothing to fix it.
 
Last edited:
The 'normal' procedure for white hat hackers is this:

You warn them twice, stating in the first warning that when they ignore the second warning you will publish the details because the public needs to know.

After the second warning you give them a week or two to fix it.

If they do not fix it, you publish everything you know about the security leak.

Do not go mending anything yourself.
 
I've thought of emailing some, or all, of the members, explaining exactly how I got their email addresses and urging them to take it up with the site owners. Do you think that's a reasonable approach?
Click to expand...

Too right.
 
realpaladin said:
The 'normal' procedure for white hat hackers is this:

You warn them twice, stating in the first warning that when they ignore the second warning you will publish the details because the public needs to know.

After the second warning you give them a week or two to fix it.

If they do not fix it, you publish everything you know about the security leak.

Do not go mending anything yourself.
Click to expand...

That sounds fair, but I don't want to publish the details.

It would mean that you and everyone else will be able to access the member accounts on that site, potentially causing harm to those members.
 
I have no idea if the following would be legal, but as IU user I would be okay with it I guess:

run a script that goes through all the member accounts and
a) e-mails or better yet, PNs each member and informs them of what is going on and
b) simply changes their password.

Members can usually have their password reset through their e-mail,so you would be doing no long-term harm to anyone and everybody would be aware of the problem. (And you don't even need to spell out the details, either. Just tell them that the site allows you to read all passwords without explaining how.)
 
Rasmus said:
I have no idea if the following would be legal, but as IU user I would be okay with it I guess:

run a script that goes through all the member accounts and
a) e-mails or better yet, PNs each member and informs them of what is going on and
b) simply changes their password.

Members can usually have their password reset through their e-mail,so you would be doing no long-term harm to anyone and everybody would be aware of the problem. (And you don't even need to spell out the details, either. Just tell them that the site allows you to read all passwords without explaining how.)
Click to expand...

But changing their password makes no odds. The OP claims you can log in without a password.
Oh wait, you mean to stop people logging into their other accounts?

Edit: I agree with RP. Send a final warning and then email all users you have ripped details for and email them warning that there is a security flaw in the site, and that they should cancel their account / change their password.
 
Last edited:
This reminds me of when I was browsing a site that supplies weird and wonderful alcoholic beverages (like "proper" Absinthe). I clicked on one of the product pages and was greeted with an ASP error stating that there was a problem opening /Database/SiteName.mdb. Out of curiosity I entered the path into the browser and lo and behold I downloaded their entire product catalog, customer database, and order history.

I contacted them stating that in the short term they should move their access database out of the webroot, and in the long term move to a RDBMS like SQL Server or MySQL. They fixed the problem immediately and sent me a free bottle of expensive absinthe :D
 
He has already warned them several times, pull the plugg ASAP. Every day that goes by there is a chance that someone else will take advantage of the situation. This buisness deserves to go down in flames but not the users.
 
Does anyone have experience with this? I think what I should do is email the members to tell them, but I don't want it to come back to me in case I have violated the DMCA or anything.

I don't think I've done anything illegal, but who knows?
 
Do not download any details of the user accounts, passwords etc., do not change anything as although you will be very unlikely to face any police or civil action for doing so it is very likely to be against the law to access information you have no right to do so (varies a lot from country to country as to the exact offense).

Think about it it this way - you see a house that has been left unlocked, do you have a right to enter that house to "secure" it on the owners behalf?
 
What surprises me is that you can see passwords. Aren't they supposed to be encrypted somewhere so that even the admins can't retrieve them ? Or are we talking about some really old forum software ?
 
Following up on Darat... his example is correct.

The reason why ethical hackers/white hats work with publishing details, no matter how bad it is for the users, is that this is the only legally safe way.

Dodgy site has an obligation to their users.

If I or anyone else compromises their site because of information they already possessed it is sever 'neglect'

Make sure that they know it is your intent to publish your information and that when you do you will point at them in a 'sever neglect' case (not sure about english words there).

But before you do. Make 100% that you have any and all communications on this, so that you have proof that they knew about this problem.

Again, do not go vigilante and talk to the users or fix it for them; you will get in all sorts of legal trouble.

I know, it sometimes feels really bad that the users will suffer, but think about it this way:

- If you can figure this out, so can someone else.
- Someone else might not go public but scam the users.
- Because no action is taken and nobody is aware of it, that goes on for years.
 
Darat said:
Do not download any details of the user accounts, passwords etc., do not change anything as although you will be very unlikely to face any police or civil action for doing so it is very likely to be against the law to access information you have no right to do so (varies a lot from country to country as to the exact offense).

Think about it it this way - you see a house that has been left unlocked, do you have a right to enter that house to "secure" it on the owners behalf?
Click to expand...

Yeah, this is something I'm not entirely sure about. Although I have no "right" to the information, it's on pages that are accessible via a URL you can type into your address bar. No hacking. Google can find it and index it, so with the right search terms it will appear in the Google results.

I can't secure the site without the site owner's permission and authorisaton, as I don't have access to the code. When I said in the OP that "I can fix it" or words to that effect, I meant that I know how to build secure web sites, as do many other people on this forum. I want them to give me the contract to fix it! :)
 
El Greco said:
What surprises me is that you can see passwords. Aren't they supposed to be encrypted somewhere so that even the admins can't retrieve them ? Or are we talking about some really old forum software ?
Click to expand...
It's not a forum. It appears to be a bespoke web application. The person or persons who developed it obviously had no clue about security.
 
realpaladin said:
Following up on Darat... his example is correct.

The reason why ethical hackers/white hats work with publishing details, no matter how bad it is for the users, is that this is the only legally safe way.

Dodgy site has an obligation to their users.

If I or anyone else compromises their site because of information they already possessed it is sever 'neglect'

Make sure that they know it is your intent to publish your information and that when you do you will point at them in a 'sever neglect' case (not sure about english words there).

But before you do. Make 100% that you have any and all communications on this, so that you have proof that they knew about this problem.

Again, do not go vigilante and talk to the users or fix it for them; you will get in all sorts of legal trouble.

I know, it sometimes feels really bad that the users will suffer, but think about it this way:

- If you can figure this out, so can someone else.
- Someone else might not go public but scam the users.
- Because no action is taken and nobody is aware of it, that goes on for years.
Click to expand...

I'm going to have to think about this. It could cause a lot of harm if I publish the details.
 
logical muse said:
So I emailed the web site, using their contact email address. I offered to help fix their security. It's something I know how to do. They didn't respond.
Click to expand...
It was nice of you to inform the site's owner of the security problem. It was a bit inapropriate to offer your services at the same time.

In the meantime, I wrote a script to trawl through all their member accounts, retrieving email addresses and passwords. I don't believe this is illegal, as the pages for these accounts are accessible by simply typing this into the address bar of your browser:

thedodgysiteinquestion.com/login.php?accountnumber=1

Change the account number and you are logged in to a different account. This is a publicly accessible URL, so I think I'm legally entitled to view the page(s) it links to.
Click to expand...
You think it's legal? Of course it isn't. The fact that you can exploit a vulnerability just by playing with the adress bar doesn't change jack to that. You do that and then you offer to help the owner's out? That's pretty... amateurish (sorry).

I really want to fix this security flaw, but the site owners are ignoring me.
Click to expand...
I would ignore you too. Why do you want to help this guy so much anyway? Do you have an interest in the site you mentionned?
 
Rika said:
To be fair, if I stumbled across that, I'd notify them too and offer to help (although it'd be free advice).

Unsecured programs just bug me.
Click to expand...
It's just that from the point of view of the site owner, this sounds dangerously close to a scam. Is there a real security problem or is this guy who keeps bugging me by email just trying to get some money from me? Security professionals don't act that way (and that's not an attack on the OP - just an observation).
 
ZouPrime said:
It was nice of you to inform the site's owner of the security problem. It was a bit inapropriate to offer your services at the same time.


You think it's legal? Of course it isn't. The fact that you can exploit a vulnerability just by playing with the adress bar doesn't change jack to that. You do that and then you offer to help the owner's out? That's pretty... amateurish (sorry).


I would ignore you too. Why do you want to help this guy so much anyway? Do you have an interest in the site you mentionned?
Click to expand...

Hi ZouPrime,

I hadn't considered that it might be inappropriate to offer my services. If a locksmith goes into a shop to buy a twinky, and notices that the lock on the door is not screwed in, would it be inappropriate of him or her to offer to fix it?

I have no interest in the site.
 
You must log in or register to reply here.

Back
Top Bottom