----------------------------------- Nathan4102 Sat May 18, 2013 8:47 pm Stupid Drivers-Ed Website ----------------------------------- So I'm taking this Drivers-Ed course which has a website where you can log on, and view all your account information, including all personal information they have. Via a very simple URL edit (I mean like changing "ACCID=17719" to another number), you can view any users personal information. You don't even need to have a logged-on cookie to view other users profiles! Is there anything I can do with this? Obviously nothing malicious, I mean like demand a refund? Or something like that? Surely having 17000 peoples personal information publicly available is punishable in some way? Nathan ----------------------------------- Tony Sun May 19, 2013 3:18 am RE:Stupid Drivers-Ed Website ----------------------------------- Surely such would never be considered an especially ingenious attack, by any security experts http://www.nytimes.com/2011/06/14/technology/14security.html ----------------------------------- mirhagk Sun May 19, 2013 8:32 am RE:Stupid Drivers-Ed Website ----------------------------------- Definitetly report the vulnerability to the website, and be on there butts about fixing it. If you wanted you could even offer to fix it for them for a price ----------------------------------- Insectoid Sun May 19, 2013 8:36 am RE:Stupid Drivers-Ed Website ----------------------------------- Or threaten to pull yourself out of the program and publicize the situation. Presumably the records contain phone numbers or email addresses. Tell them you'll contact all their customers and inform them that their information is at risk. If they don't overhaul their site after that, they deserve to lose their customers. ----------------------------------- Nathan4102 Sun May 19, 2013 9:23 am RE:Stupid Drivers-Ed Website ----------------------------------- Full names, home and mobile numbers, home adress, email adress, birth date, license number, theres a bunch of stuff. Ill probably threaten to sell the story to the Sun or something, I dunno yet. @mirhagk, I wouldnt know how to fix it! I could give 80% to someone here to fix it though.Anyone? ;) ----------------------------------- mirhagk Sun May 19, 2013 10:53 am RE:Stupid Drivers-Ed Website ----------------------------------- Well I most likely could fix it, a simple check for permission is all that would be required ----------------------------------- Insectoid Sun May 19, 2013 10:57 am RE:Stupid Drivers-Ed Website ----------------------------------- a simple check for permission is all that would be required That's assuming they have any framework in place for it at all. They might not even be encrypting their login data (in fact, they probably aren't). ----------------------------------- Nathan4102 Sun May 19, 2013 11:19 am RE:Stupid Drivers-Ed Website ----------------------------------- Wow, you'd expect more from one of the biggest driving schools in ontario. Mirhagk, ill message you if he asks me to fix it. What would be a fair price to charge them? ----------------------------------- mirhagk Sun May 19, 2013 6:06 pm RE:Stupid Drivers-Ed Website ----------------------------------- Well if there is a log-in in place, I would hope they have at least a basic check to see if you're logged in to access the page. If they have that then it probably won't be too much more to make it restrict to only your login page. It's probably not a huge deal if the login info is encrypted while transmitted, but I would hope that it's hashed in the database.... and if not and anyone helps them, please do that. @Nathan, I don't really know a fair price. For my software contracting I generally charge around $25/hour, depending on the job and the client. I don't know how long it'd take, and I'd need to take a look at their framework to make a good estimate. PM me if you want to talk more. ----------------------------------- Nathan4102 Sun May 19, 2013 8:02 pm RE:Stupid Drivers-Ed Website ----------------------------------- The log in system obviously meeds lots of work. I could give you the URL to my profile right now, and youd be able to access my full profile. If the guy asks me to fix it, ill PM you and we can work something out. ----------------------------------- Dan Sun May 19, 2013 8:11 pm Re: RE:Stupid Drivers-Ed Website ----------------------------------- Ill probably threaten to sell the story to the Sun or something, I dunno yet. @mirhagk, I wouldnt know how to fix it! I could give 80% to someone here to fix it though.Anyone? ;) This would get you sued and/or arrested. It's one thing to find an exploit and report it, but extorting the owner of the website is illegal. Either follow [url=https://en.wikipedia.org/wiki/Responsible_disclosure]responsible disclosure or forget you ever found the issue. ----------------------------------- mirhagk Sun May 19, 2013 8:42 pm RE:Stupid Drivers-Ed Website ----------------------------------- I think Nathan meant he'll go public with the story if the site owner refuses to fix it, which is actually exactly what responsible disclosure is (tell the site owner, and if they don't do anything after a reasonable amount of time, you can publish the details). I really hope he didn't mean to say he'd sell the story to the sun without giving the site owner notice and time to fix it. ----------------------------------- Dan Sun May 19, 2013 8:58 pm RE:Stupid Drivers-Ed Website ----------------------------------- He said he would sell the story to sun in the same post he discussed splitting the profits of extorting the website owner to pay him to fix. He might have not meant it that way, but it would look bad enough to be evidence in a court case should the sites owner freak out and go to the authorities or start a law suit. ----------------------------------- Nathan4102 Sun May 19, 2013 9:14 pm RE:Stupid Drivers-Ed Website ----------------------------------- Sorry if that came out wrong, Ill give him time to fix it first, before I publicise anything. Hes been trying to contact me all day today while I was out though, so I doubt itll come to that. ----------------------------------- Dan Sun May 19, 2013 9:42 pm RE:Stupid Drivers-Ed Website ----------------------------------- Even if you have no plans to extort them you should know that responsible disclosure does not normally go over well unless you have a lot of support behind you. Most companies are not overwhelmed to hear that they are being accused of failing to secure there software (especially from a high school student) and often treat it as more of a threat than any kind of help. Ideally they will see the light and fix there site, however, they are just as likely to ignore you or threaten criminal or civil action against you. I hope it works out for you, and the guy is not trying to contact you to threaten you. ----------------------------------- Nathan4102 Sun May 19, 2013 9:55 pm RE:Stupid Drivers-Ed Website ----------------------------------- Why is he able to take me to court for publicising their mistake though? He (or his IT team) is the one who put his customers privacy at risk, and, should it come to this, refused to fix it. As a customer with my personal data at risk, I should be able to take steps to get this fixed, no? ----------------------------------- Dan Sun May 19, 2013 10:00 pm Re: RE:Stupid Drivers-Ed Website ----------------------------------- Why is he able to take me to court for publicising their mistake though? Any one can take any one to court for anything. Tho that does not mean he would win the law suit. For example Lanschool threatened to take myself and CompSci.ca to court over details of an exploit to there software being posted here. They even had a real law firm draft the legal threat for them. However I should note that we are on good terms with Lanschool now and they are far more receptive to reports of exploits. The point is even if they are in the wrong, they still may react poorly. ----------------------------------- Nathan4102 Sun May 19, 2013 10:04 pm RE:Stupid Drivers-Ed Website ----------------------------------- Oh ya, I remember hearing about that. I guess i'll wait and see what they have to say tomorrow, Ill let you guys know what happens. ----------------------------------- Nathan4102 Mon May 20, 2013 11:08 am RE:Stupid Drivers-Ed Website ----------------------------------- Finally got ahold of the CEO today, he said that a "Security Certificate" had expired, and they're working on renewing it. Since I know next to nothing about this web stuff, I accepted the excuse. Could an expired security certificate be the reason I can view everyones information with ease? I'm not too sure what action to take now, I guess I'll just give him some time to get it sorted. ----------------------------------- md Mon May 20, 2013 11:20 am RE:Stupid Drivers-Ed Website ----------------------------------- A "Security Certificate" probably means an SSL certificate and would have zero impact on this particular security issue. ----------------------------------- Nathan4102 Mon May 20, 2013 12:13 pm RE:Stupid Drivers-Ed Website ----------------------------------- I guess the CEO forwarded me to his IT team after that call, another employee emailed me shortly after and told me this was a major security loophole, and they're working on a solution. Thanks for the advice guys, I'm glad this didn't come to a legal battle! ----------------------------------- mirhagk Mon May 20, 2013 5:53 pm RE:Stupid Drivers-Ed Website ----------------------------------- This is how things work in the business world, you e-mail the website and get to talk to either a random business person, or secretary, who talks to the IT team who stand there and mumble things to each other for a second, then the secretary/business person goes back and sends off an e-mail that makes no sense. Every once in a while you get lucky, and the IT team get's CC'd in, and one of the staff sees how dumb the response was, and takes a few minutes of their team to send a proper one. I'm glad they recognized it as a major security loophole, and a solution should hopefully come out soon (which probably translates to in a couple months) ----------------------------------- Nathan4102 Mon May 20, 2013 6:52 pm RE:Stupid Drivers-Ed Website ----------------------------------- Yeah, they said they'd have it patched in a couple of hours, and that was about 6 hours ago. Atleast they're working on it though, thats all I really wanted.