Hacking and exploiting - How do you deal with any security holes you find?

Question

Today online security is a very important factor. Many businesses are completely based online, and there is tons of sensitive data available to check out only by using your web

Answer 1

I experienced the same like you. I once found an exploit in an oscommerce shop where you could download ebooks without paying. I wrote two mails: 1) Developers of oscommerce, they answered "Known issue, just don't use this paypal module, we won't fix" 2) Shop administrator: no answer at all

Actually I have no idea what's the best way to behave ... maybe even publicate the exploit to force the admins to react.

Answer 2

Contact the administrator, not a business-type person. Generally the admin will be thankful for the notice, and the chance to fix the problem before something happens and he gets blamed for it. A higher-up, or the channels a customer service person is going to go through, are the channels where lawyers get involved.

I was part of a group of people who reported an issue we stumbled across on the NAS system at University. The admins were very grateful we found the hole and reported it, and argued with their bosses on our behalf (the people in charge wanted to crucify us).

Answer 3

I usually contact the site administrator, although the response is almost ALWAYS "omg you broke my javascript page validation I'll sue you."

People just don't like to hear that their stuff is broken.

Answer 4

"Ive found that Im often testing others applications for exploits and security holes, maybe just for curiosity".

In the UK, we have the "Computer Misuse Act". Now if these applications you're proverbially "looking at" are say Internet based and the ISP's concerned can be bothered to investigate (for purely political motivations) then you're opening yourself up getting fingered. Even doing the slightest "testing" unlesss you are the BBC is sufficient to get you convicted here.

Even Penetration Test houses require Sign Off from companies who wish to undertake formal work to provide security assurance on their systems.

To set expectations on the difficulty in reporting vulnerabilties, I have had this with actual employers where some pretty serious stuff has been raised and people have sat on it for months from the likes of brand damage to even completely shutting down operations to support an annual £100m E-Com environment.

Answer 5

If it doesn't affect many users, then I think notifying the site administrators is the most you can be expected to do. If the exploit has widespread ramifications (like a Windows security exploit) then you should notify someone in a position to fix the problem, then give them time to fix it before you publish the exploit (if publishing it is your intention).

A lot of people cry about exploit publication, but sometimes that's the only way to get a response. Keep in mind that if you found an exploit, there's a high likelihood that someone with less altruistic intentions has found it and has started exploiting it already.

Edit: Consult a lawyer before you publish anything that could damage a company's reputation.

Answer 6

I once reported a serious authentication vulnerability in a online audiobook store that allowed you to switch the account once you were logged in. I was wary too if I should report this. Because in Germany hacking is forbidden by law too. So I reported the vulnerability anonymously.

The answer was that although they couldn’t check this vulnerability by themselves as the software was maintained by the parent company they were glad for my report.

Later I got a reply in that they confirmed the dangerousness of the vulnerability and that it was fixed now. And they wanted to thank me again for this security report and offered me an iPod and audiobook credits as a gift.

So I’m convinced that reporting a vulnerability is the right way.