Bugtraqmailing list archives
Dumb Question
From: "Sean Warnock" <swarnock.removeme () warnocksolutions com>
Date: Mon, 19 Sep 2005 00:11:30 -0700
First of all I want to say hello to the few people that I meet atToorcon 2005. For my first security conference you guys helped make itmagical. Also greets go out to the guys from the San Fernando Linux usersgroup. You guys are great and I'll have to make it your way one of thesedays. The real reason of this post is to ask about how to handle"responsible reporting" of a bug. I have found what I believe to be aninformation disclosure vulnerability on a website. The website is an onlinedating website (yes I realize this is a little pathetic, don't ask.). Ihave been able to read any message sent to any user in the website by simplymodifying the HTTP GET request for a message ex."www.somesite.com/mymessages/displaymsg.cfm?mid=XXXXXX" where XXXXXX is themessage id to pull. This apparent attack requires that you are logged intothe site before you can pull messages. The only hitch is that the site seems to be sending messages to itsown users to generate revenue. I have been able to walk up and down throughseveral hundred messages that are timed stamped within a few minutes of eachother and have the exact same message text. The only difference between themessages is the sending person. I do find messages that are completelydifferent but they are generally at different times. I believe that whatthis site is doing could or should be considered fraud (and yes I didpersonally fall for this, again don't ask).<newbquestions>1. If I report this problem what kind of legal ramifications should Ilook at?2. Who would I report this sites possibly illegal activities to? Ibelieve what they are doing could fall under fraud but I really have noidea if current law would cover this?3. Finally, what would be some possible avenues for reporting this tothe press to simply embarrass the living daylights out of the people whorun this website? If I pulled enough data to prove this could this getme into legal trouble?4. Final thought-- any suggestions beyond my questions are welcomeexcept DOSing the site. I am a little upset with there behavior but not tothe point of doing anything illegal myself or prompting others to dosomething illegal.</newbquestions>Any suggestions are welcome both on and off list.Sean
Current thread:
- Dumb QuestionSean Warnock (Sep 19)