Major security flaw on a web site

[logical muse]

It's just that from the point of view of the site owner, this sounds dangerously close to a scam. Is there a real security problem or is this guy who keeps bugging me by email just trying to get some money from me? Security professionals don't act that way (and that's not an attack on the OP - just an observation).

They are well aware it's not a scam.

Here's the email I sent them:

Hello,

My name is LM; I want to help secure your web site (dodgysite.com).

I see that you've implemented 'referrer checking' in an attempt to
address the security issues you are facing. Unfortunately, it's easy to
circumvent. As just one example, there is a Firefox plugin called
RefControl that allows anyone to instruct their browser to send
'dodgysite.com' as the referrer. I have done this myself to confirm
that the security vulnerability still exists.

In addition, are you aware that the file
'http://dodgysite/somefiles/members.txt', which contains usernames and
passwords and profile information of your users is publicly available?
Just do this search:
http://search.yahoo.com/search?p="dodgysite.com"&ei=UTF-8&y=Search&dups=1
It's right there, along with many other files. I see no reason why this
file, indeed any of these files, should be in a directory within the
document root. In fact, what is that directory doing there in the first
place?

I will be blunt; you have no security. The 'login' url does no checking
of credentials before allowing access. Checking the referrer is next
to useless. You have private files in publicly accessible areas.

You need to move those files out of there, outside of the document root.
You need your profile page, control panel page, and all other private
pages to check that the correct user is actually logged in at the
computer making the page request before granting access. You need, in
fact, to take the site down until your security problems are fixed.

I can fix this for you. Please check some of the secure sites I have
built:

(a list)

I'll give you other references on request. Please contact me as soon as
possible so that we can secure your site.


As you can see, they were aware of the problem and tried to fix it themselves. They know that they didn't fix it properly. What they should have done is taken the site down and fixed the problem, but they didn't.

I think part of the problem is that they just don't know how to fix it. Surely I did nothing wrong by pointing out the extent of the problem to them?

 

[GreNME]

They are well aware it's not a scam.

Here's the email I sent them:

Hello,

My name is LM; I want to help secure your web site (dodgysite.com).

You see, were I the site owner, and were I reading this in my inbox, that first line alone would be enough for me to stop reading and delete the e-mail.

You really might want to think about not offering your services, especially not right off the bat. You might also want to think about finding someone else whom you trust to attempt to contact them in a less solicitous manner, because by now you may very well be on a block or spam list-- you'd be so if it were me.

 

[logical muse]

You see, were I the site owner, and were I reading this in my inbox, that first line alone would be enough for me to stop reading and delete the e-mail.

You really might want to think about not offering your services, especially not right off the bat. You might also want to think about finding someone else whom you trust to attempt to contact them in a less solicitous manner, because by now you may very well be on a block or spam list-- you'd be so if it were me.

OK, thanks for the feedback. Why would you stop reading and delete the email, when you are aware that your site is not secure?

Perhaps a little more information is needed here. I've held back because with some digging you can find the site I'm referring to, and I don't want more people in there wreaking havoc.

In February of this year the details of the security flaw were made public (not by me!) on 4chan. As you can imagine, for a period of about two or three days many thousands of people flocked to the site and screwed around with the profiles.

It's a dating site. All of a sudden, members' profile pics were being replaced with unsavoury images, and the text on many profiles was modified. Once the 4channers found out they could get into people's email accounts, they started doing things like buying stuff using their victims' ebay accounts, and sending porn from these email accounts to all the contacts.

At this time the site owners implemented referrer checking in a poor attempt at controlling the marauding horde. They threatened legal action against anyone accessing the site who shouldn't be.

4chan got bored and moved on.

That's the context in which I sent my email. The site owners were well aware of a major security problem, were trying to deal with it (although not very well), and so my email did not just arrive out of the blue.

It was pertinent, and should have been welcome. They were obviously struggling with the problem, and had no idea how to fix it.

It's been three months and they still haven't fixed their security.

In my opinion, they have let down their members. They are still taking new memberships, and they know full well that there is no security on their site. I struggle to understand why they haven't fixed it.


eta: added (not by me!)

 

[Dan O.]

Think about it it this way - you see a house that has been left unlocked, do you have a right to enter that house to "secure" it on the owners behalf?

This analogy is wrong. It is more like a valet parking service that parks the clients cars on the street and leaves the keys in the ignition.


LM, It's the sites users are the ones that need to be protected. The fastest path to that goal is through the site owners and fixing the site. But if that fails then you need to direct your message directly to the users. Keep in mind that your actions will embarrass the site owners and they may try to retaliate through legal actions so don't do anything that violates the "intended" security of their system.

 

[logical muse]

L_M : I recommend sending it to a reputable security firm (i.e Symntec or such). They will most likely have a legal department and an idea what to do.

I think this is the best idea. OK, I will do this.

 

[logical muse]

This analogy is wrong. It is more like a valet parking service that parks the clients cars on the street and leaves the keys in the ignition.

The internet has destinations (web sites) that are accessed via URLs, in much the same way as the mall has destinations (shops) that are accessed via doors. I think an apt analogy is more like a shop intending to be secure during closing hours but not locking the door or turning the lights out. The shop door's affordance is to be opened, so people will attempt to open it. URLs are to be entered into address bars.

LM, It's the sites users are the ones that need to be protected. The fastest path to that goal is through the site owners and fixing the site. But if that fails then you need to direct your message directly to the users. Keep in mind that your actions will embarrass the site owners and they may try to retaliate through legal actions so don't do anything that violates the "intended" security of their system.

I've gone off the idea of contacting the members, as now I'm not sure about the legal ramifications.

 

[logical muse]

I've emailed CERT.

Let's see if they have more luck getting through to the site's owners than I did.

 

[GreNME]

OK, thanks for the feedback. Why would you stop reading and delete the email, when you are aware that your site is not secure?

Because you start off the e-mail with a solicitation. Particularly considering the back-story you gave, at this point they have every reason to be suspicious and distrustful of someone coming out of the blue offering to help them. The way you are presenting your conundrum to us in this thread and the impression the text you supplied of the e-mail you originally sent, no offense intended, tell two different stories-- one being an impression that you're genuinely trying to help, and the other a fairly common (secure your site/raise your search ranking/bring more revenue) solicitation. With the signal-to-noise ratio out there on the web regarding spam and unsolicited offers, your e-mail starting off with what is basically a business/advertising pitch sends exactly the wrong message.

On top of that, if they've already threatened legal action once before, your main concern right now should be taking every precautionary measure you can to cover any legal liabilities. Unless you had the foresight to attempt logging into this other website through an anonymized proxy, then your activity on the website was definitely logged and can very likely be used against you if there is a web admin who has even close to any good sense on their end. What you admit to having done in the thread here is enough to charge you for the previous indiscretions by other 4chan-ers in a lot of countries/states/provinces. That doesn't necessarily mean you're going to be in legal trouble, but to be very frank with you the last thing on your mind should be getting commissioned to help them secure their website.

This is why 'white hats' (I really don't like the differentiations) tend to follow the procedure of warn, warn, report. No playing around to see how deep they can go (well, not officially). No offering to fix the problem for them, and definitely no soliciting to fix the problem for pay.

Again, please don't take what I'm saying the wrong way. I'm not trying to scare you or insult you. I'm just pointing out that in this case you're going to be putting yourself at risk if you keep approaching this the way you have been. You are not liable for the safety of the users' information, that website is. You do not want to get between that, because if it goes as far as legal action and you've thrust yourself into this, you will very likely regret it.

 

[richardm]

Why would you stop reading and delete the email, when you are aware that your site is not secure?

Think how many spam emails you get that start off sounding like that - they may not be not responding, they may never even have seen your mail at all

Good on you for pursuing this though, I'd probably have shrugged and given up by now.

 

[logical muse]

Particularly considering the back-story you gave, at this point they have every reason to be suspicious and distrustful of someone coming out of the blue offering to help them.

I don't get that at all. I would have thought the exact opposite. They are in the middle of a security melt-down, with thousands upon thousands of people gaining apparently unauthorised access to their site and someone emails offering to help. I even explained the problems to them and how their attempt at fixing it wasn't working. I'd say it would be unusual for them to look at it and think 'spam' and junk it.

I did try to get their attention, and get straight to the point. And the point is that their members' information was not secure and it needed to be, and I could help to fix it.

 

[logical muse]

Think how many spam emails you get that start off sounding like that - they may not be not responding, they may never even have seen your mail at all

Good on you for pursuing this though, I'd probably have shrugged and given up by now.

Fair point. I really didn't think of them thinking it would be spam, especially as it was addressing a problem they were right in the middle of.

 

[Almo]

My name is LM; I want to help secure your web site (dodgysite.com).

I have to say that looks like spam to me. Reporting them to CERT sounds like a good idea to me.

 

[realpaladin]

I'm going to have to think about this. It could cause a lot of harm if I publish the details.

If it is hidden and festers, there is a lot of harm as well. But you can publish it in a generic way, just as in this forum.

You can demonstrate it to a news-agency in detail.

 

[logical muse]

I have to say that looks like spam to me. Reporting them to CERT sounds like a good idea to me.

Maybe I've been reading too much spam and now I'm starting to sound like it!

 

[logical muse]

If it is hidden and festers, there is a lot of harm as well. But you can publish it in a generic way, just as in this forum.

You can demonstrate it to a news-agency in detail.

Well, as I said in another post, the details were published on 4chan a few months ago. The threads didn't last long but for a while there many thousands of people knew about it.

I'm just surprised, and dismayed, and concerned, that the site owners still haven't fixed it.

 

[AgeGap]

Is there any way to find out the host company and contact them?

 

[GreNME]

Is there any way to find out the host company and contact them?

Yes. It's likely fairly easy. Getting their IP and find out who is leasing that block would be the first step.

 

[The Central Scrutinizer]

I don't believe this is illegal, as the pages for these accounts are accessible by simply typing this into the address bar of your browser:

thedodgysiteinquestion.com/login.php?accountnumber=1

I get a 404-address not found.

 

[GreNME]

I get a 404-address not found.

 

[Gord_in_Toronto]

Yes. It's likely fairly easy. Getting their IP and find out who is leasing that block would be the first step.

Do WHOIS on the domain name and telephone the contacts listed. Follow up with real mail if required.