Major security flaw on a web site

[CORed]

My take, after reading the thread: I think the only thing you can do is go public. Contacting users is not a good option, as you got their emails by circumventing the sites "security" and therefor could be accused of unauthorized access. Apparently the information has already been made public once and the owner of the site thinks (and probably assured its members) that the problem had been fixed.

I have to agree with others that telling the owner that you could fix the site might have made you look like a scammer, or at least somebody looking for a job. The site's owner probably thinks he already has a developer (he's wrong).

As a web developer myself, I am flabbergasted that in this day and age, a publicly accessible site could do such an amateurish job of "protecting" sensitive information. Password in plain text files accessible from the web, and using only a querystring parameter to "verify" login status are criminal negligence. The site's owner and "developers" deserve to be sued for every thing they own or ever will own, if not thrown in prison. On top of that to think they have fixed the problem by referrer checking when they found out about the problem is more criminal negligence. They must have told the same idiot that developed the system in the first place to fix it instead of firing him and hiring somebody that knows what they are doing.

 

[logical muse]

Do WHOIS on the domain name and telephone the contacts listed. Follow up with real mail if required.

Yep, I emailed the whois admin contact. It bounced with a:
reason: 550 5.1.1 - Invalid mailbox:

I haven't called them.

 

[logical muse]

My take, after reading the thread: I think the only thing you can do is go public. Contacting users is not a good option, as you got their emails by circumventing the sites "security" and therefor could be accused of unauthorized access. Apparently the information has already been made public once and the owner of the site thinks (and probably assured its members) that the problem had been fixed.

I've handed it over to CERT. Let's see what they do with it.

I have to agree with others that telling the owner that you could fix the site might have made you look like a scammer, or at least somebody looking for a job. The site's owner probably thinks he already has a developer (he's wrong).

Well, I'm always looking for more work. I don't see what's wrong with that!
Perhaps I worded it wrong, I don't know. They obviously had no idea how to fix it, and I was offering to help.

As a web developer myself, I am flabbergasted that in this day and age, a publicly accessible site could do such an amateurish job of "protecting" sensitive information. Password in plain text files accessible from the web, and using only a querystring parameter to "verify" login status are criminal negligence. The site's owner and "developers" deserve to be sued for every thing they own or ever will own, if not thrown in prison. On top of that to think they have fixed the problem by referrer checking when they found out about the problem is more criminal negligence. They must have told the same idiot that developed the system in the first place to fix it instead of firing him and hiring somebody that knows what they are doing.

I agree with all of this.

 

[El_Spectre]

I would be extremely cautious. The DMCA makes what you are doing legally dicey. That's bogus, but it's the law of the land in the US.

I know you're trying to do the right thing. If I were you, I'd do everything I could to contact them anonymously, and I'd never touch the system again, until some reasonable resolution is made, or the company expressed interest and indemnity.

 

[logical muse]

I get a 404-address not found.

And you call yourself a hacker.

 

[logical muse]

I would be extremely cautious. The DMCA makes what you are doing legally dicey. That's bogus, but it's the law of the land in the US.

I know you're trying to do the right thing. If I were you, I'd do everything I could to contact them anonymously, and I'd never touch the system again, until some reasonable resolution is made, or the company expressed interest and indemnity.

I've handed it over to CERT. I did get some advice earlier in the thread to contact an internet security firm such as Symantec, which I thought was a good idea. It then occurred to me that CERT would be a better choice.

 

[El_Spectre]

Cool. Good on ya for trying to do the right thing.

 

[KoihimeNakamura]

CERT is probably a better choice, yes.

 

[ZouPrime]

CERT is probably a better choice, yes.

Maybe I'm completely wrong, but I doubt CERT cares about a security issue in a random website. AFAIK that's not in the scope of their activities.

The only guys that should care are the owners (because they have a vulnerability), the users (because their data is in danger when using this system) and maybe the web site provider (because the vulnerability could maybe compromise other systems hosted there).

 

[The_Fire]

People still use querystrings to access confidential information ?! Cripes.......

 

[Modified]

What surprises me is that you can see passwords. Aren't they supposed to be encrypted somewhere so that even the admins can't retrieve them ? Or are we talking about some really old forum software ?

That's how it should be. One of our admins once misconfigured a server so that cgi scripts would be transmitted instead of executed. We had an administrator password hardcoded into a script, but encrypted, so it would have taken a few decades on a supercomputer (on average) to break it.

I do have one account where if you forget your password, they send you the old password instead of a newly-generated one. I use a password there that bears no relation to any others I use.

 

[KoihimeNakamura]

People still use querystrings to access confidential information ?! Cripes.......

How would you do it in SQL then?

 

[ZouPrime]

How would you do it in SQL then?

stored procedures (?)

 

[Morrigan]

You see, were I the site owner, and were I reading this in my inbox, that first line alone would be enough for me to stop reading and delete the e-mail.

And you would be a complete idiot for doing that. Sorry, but that's just the way it is.

It doesn't matter if the guy is offering his services: he was kind enough to explain IN DETAIL what was wrong with the security, meaning that if the company had access to a barely competent programmer, they could have easily fixed it themselves. If, for some reason, they don't even have access to such a person, then at least logical muse is available, so that's good to know. Also, logical muse didn't even ask for payment in his email, he just said "I can help you", and he actually DID help them with his email alone.

A kind hacker once found a vulnerability in my site. He emailed me saying he could help me fix it, and proved what he could do by showing me my password. I quickly realized he was right and immediately fixed the problem, changed my password, and thanked him profusely. (For the record, I was aware, in a general sense, that security wasn't so good on that site, since it's very old and very bad code, but I wasn't aware of this one specific vulnerability - still it came as little surprise when I saw that email, as it should have been no surprise to the creators of dodgysite.com). If I had deleted and ignored his email, I would have been not only a giant douche to my users, but a complete moron.

Unless you had the foresight to attempt logging into this other website through an anonymized proxy, then your activity on the website was definitely logged

What the hell makes you say that? These guys have a file in plain text containing all the user passwords, available on the web root, and their script to check authentication is the same as a wide open door. Assuming that they have the means or intelligence to crosscheck logical muse's page hits from (surely huge) Apache logs to his activity is a huge leap of faith.

As a web developer myself, I am flabbergasted that in this day and age, a publicly accessible site could do such an amateurish job of "protecting" sensitive information. Password in plain text files accessible from the web, and using only a querystring parameter to "verify" login status are criminal negligence. The site's owner and "developers" deserve to be sued for every thing they own or ever will own, if not thrown in prison. On top of that to think they have fixed the problem by referrer checking when they found out about the problem is more criminal negligence. They must have told the same idiot that developed the system in the first place to fix it instead of firing him and hiring somebody that knows what they are doing.

100% agreed. This story revolts me even more considering it's a dating site, which means the user information is probably their real info AND it's probably a paying site. Dear Cthulhu.

 

[GreNME]

And you would be a complete idiot for doing that. Sorry, but that's just the way it is.

What is it with tech-savvy people and the need to constantly have pissing contests?

It doesn't matter if the guy is offering his services: he was kind enough to explain IN DETAIL what was wrong with the security, meaning that if the company had access to a barely competent programmer, they could have easily fixed it themselves. If, for some reason, they don't even have access to such a person, then at least logical muse is available, so that's good to know. Also, logical muse didn't even ask for payment in his email, he just said "I can help you", and he actually DID help them with his email alone.

If that makes you feel justified in your assumed superiority, far be it from me to interfere.

A kind hacker once found a vulnerability in my site. He emailed me saying he could help me fix it, and proved what he could do by showing me my password. I quickly realized he was right and immediately fixed the problem, changed my password, and thanked him profusely. (For the record, I was aware, in a general sense, that security wasn't so good on that site, since it's very old and very bad code, but I wasn't aware of this one specific vulnerability - still it came as little surprise when I saw that email, as it should have been no surprise to the creators of dodgysite.com). If I had deleted and ignored his email, I would have been not only a giant douche to my users, but a complete moron.

Considering the glut of spam out there that offers to help site owners out with this-and-that, the text from the e-mail presented in this thread started off with the same type of presentation that would get it flagged by even a basic filter. Maybe you have the time to sift through literally hundreds (if not thousands) of spam e-mails that come through to commercial sites every single day-- I'm not talking about your "look at my cat / read my blog" personal websites, I'm talking a commercial site-- then good for you, but the chances are much greater that the daily operational setup for the site in question involves either filters on the receiving end that set aside non-specific (usually site actions and scripting) messages for later checking or outright dumps them into the trash.

Unless you had the foresight to attempt logging into this other website through an anonymized proxy, then your activity on the website was definitely logged

What the hell makes you say that? These guys have a file in plain text containing all the user passwords, available on the web root, and their script to check authentication is the same as a wide open door. Assuming that they have the means or intelligence to crosscheck logical muse's page hits from (surely huge) Apache logs to his activity is a huge leap of faith.

Um, no. It doesn't require a great deal of intelligence to do a text search. Hell, I've retrieved logs of activity from specific locations to turn over to authorities before who were investigating an issue unrelated to the server I was taking care of, and it was a piece of cake to copy the Apache logs, run the search, and output the results to a separate text file to hand over to the authorities. There's no magic involved, no electronic wizardry, and it doesn't even require too much in the way of deep knowledge to accomplish.

There's nothing wrong with sending a message to a site admin reporting a problem. I've done it myself (with a couple of .gov sites, no less). However, there is indeed a protocol for reporting things like this, and sending an e-mail offering to fix it for them is atypical and isn't likely to garner a response. Maybe you disagree that this should be the case, and maybe you even have a good, logical reason for feel that way, but dropping down to guffaws and insults isn't really making your point for you-- unless your point was something along the lines of "I think acting like a middle-school prick is a valid and useful rhetorical method."

 

[logical muse]

Given that the vulnerability still exists, I feel the need to warn anyone who might have an account on the site in question.

If you are a member of a dating site where your user ID is the four letters 'cscp' followed by six digits, please go to your profile and remove or change your details. In particular, please ensure that the password you use on the site is not the same password you use for anything else, especially your email.

If you are a member of the site and want to confirm the existence of the vulnerability, go to your 'update profile' page and take a note of the URL in your address bar. The last six digits are your user ID. By changing this to the user ID of any other user, you will now be logged in as that user. User IDs on this system are publicly available to all site visitors, as they are the means by which all members are identified to other members.

 

[Morrigan]

What is it with tech-savvy people and the need to constantly have pissing contests?

No pissing contests here. I'm telling it like I see it. If you ignore valuable advice (that you know is valuable, too) simply because of the way it was given, you are a fool, plain and simple.

If that makes you feel justified in your assumed superiority, far be it from me to interfere.

No idea what you're talking about. You appear to be a very oversensitive person, though.

Considering the glut of spam out there that offers to help site owners out with this-and-that, the text from the e-mail presented in this thread started off with the same type of presentation that would get it flagged by even a basic filter. Maybe you have the time to sift through literally hundreds (if not thousands) of spam e-mails that come through to commercial sites every single day-- I'm not talking about your "look at my cat / read my blog" personal websites, I'm talking a commercial site-- then good for you, but the chances are much greater that the daily operational setup for the site in question involves either filters on the receiving end that set aside non-specific (usually site actions and scripting) messages for later checking or outright dumps them into the trash.

I still wonder why you make all sorts of assumption on the competence of their server setup, when all the evidence points that they obviously have no competent technical person in their company. But if you're merely arguing that he should have been more careful in using terms that might get auto-flagged as spam, I suppose I won't argue that. What I take issue with is your own admission that you would actually delete the email yourself after reading the first line, even if you're already aware that your site is vulnerable. Only a fool would say "oh it's gotta be spam" and not spend just two seconds to even look further in the email, considering the context. Hell, even if the email started out as the most spammy-looking thing ever, I know I'd quickly glance at the rest, just in case there's something out there -- especially if I've already been hacked before!

There's nothing wrong with sending a message to a site admin reporting a problem. I've done it myself (with a couple of .gov sites, no less). However, there is indeed a protocol for reporting things like this, and sending an e-mail offering to fix it for them is atypical and isn't likely to garner a response.

Except that he DID report the issues, in detail, in sufficient detail that would allow them to fix the issue themselves. His email was basically, "Hey guys, I need to tell you about huge security issues: they are this, and this, and that, and your programmer can fix them in these ways. If you don't have a programmer available, I could do it for you." -- I can't see anything wrong with that.

For that matter, I think logical muse went out of his way to be helpful to a site he has no personal interest in, and that's commendable. In his place I'd be tempted to re-expose the weakness on 4chan, just to teach them a lesson. Though that'd be unfair to the site users...

but dropping down to guffaws and insults isn't really making your point for you-- unless your point was something along the lines of "I think acting like a middle-school prick is a valid and useful rhetorical method."

Aren't we sensitive.

 

[KoihimeNakamura]

I.. think I'm going to PM you on that ZouPrime. I use query strings and POST but then again, the program I'm writing is a news management system.

(Anyway, just to be fully ontopic, if someone pointed out a glaring vulnerability, I'd thank them. I'd at least glance at it.)

 

[Morrigan]

There's nothing wrong with using information from GET and POST (in fact, most web applications do that - you gotta enter that username/password somewhere! and that's usually going to be from the POST) to retrieve sensitive information, so long as you validate, filter and escape this information before passing it along to an SQL query. But I think The Fire was revolted about using a simple "login=xx" in the URL to determine if the user was logged in, which of course is beyond ridiculous - anyone could spoof it. Once the user is authenticated, sessions become mandatory, and even sessions can be spoofed, so one has to be extra careful when manipulating them.

 

[nathan]

You see, were I the site owner, and were I reading this in my inbox, that first line alone would be enough for me to stop reading and delete the e-mail.

And you would be a complete idiot for doing that. Sorry, but that's just the way it is.

The OP already established the site's operators are complete idiots. GreNME is just getting into character