Stupid Drivers-Ed Website

[Nathan4102]

So I'm taking this Drivers-Ed course which has a website where you can log on, and view all your account information, including all personal information they have. Via a very simple URL edit (I mean like changing "ACCID=17719" to another number), you can view any users personal information. You don't even need to have a logged-on cookie to view other users profiles! Is there anything I can do with this? Obviously nothing malicious, I mean like demand a refund? Or something like that? Surely having 17000 peoples personal information publicly available is punishable in some way?

Nathan

[Tony]

Surely such would never be considered an

Quote:

especially ingenious

attack, by any

Quote:

security experts

http://www.nytimes.com/2011/06/14/technology/14security.html

[mirhagk]

Definitetly report the vulnerability to the website, and be on there butts about fixing it. If you wanted you could even offer to fix it for them for a price

[Insectoid]

Or threaten to pull yourself out of the program and publicize the situation. Presumably the records contain phone numbers or email addresses. Tell them you'll contact all their customers and inform them that their information is at risk. If they don't overhaul their site after that, they deserve to lose their customers.

[Nathan4102]

Full names, home and mobile numbers, home adress, email adress, birth date, license number, theres a bunch of stuff. Ill probably threaten to sell the story to the Sun or something, I dunno yet.

@mirhagk, I wouldnt know how to fix it! I could give 80% to someone here to fix it though.Anyone?

[mirhagk]

Well I most likely could fix it, a simple check for permission is all that would be required

[Insectoid]

Quote:

a simple check for permission is all that would be required

That's assuming they have any framework in place for it at all. They might not even be encrypting their login data (in fact, they probably aren't).

[Nathan4102]

Wow, you'd expect more from one of the biggest driving schools in ontario. Mirhagk, ill message you if he asks me to fix it. What would be a fair price to charge them?

[mirhagk]

Well if there is a log-in in place, I would hope they have at least a basic check to see if you're logged in to access the page. If they have that then it probably won't be too much more to make it restrict to only your login page.

It's probably not a huge deal if the login info is encrypted while transmitted, but I would hope that it's hashed in the database.... and if not and anyone helps them, please do that.

@Nathan, I don't really know a fair price. For my software contracting I generally charge around $25/hour, depending on the job and the client. I don't know how long it'd take, and I'd need to take a look at their framework to make a good estimate. PM me if you want to talk more.

[Nathan4102]

The log in system obviously meeds lots of work. I could give you the URL to my profile right now, and youd be able to access my full profile. If the guy asks me to fix it, ill PM you and we can work something out.

[Dan]

Nathan4102 @ 19th May 2013, 9:23 am wrote:

Ill probably threaten to sell the story to the Sun or something, I dunno yet.

@mirhagk, I wouldnt know how to fix it! I could give 80% to someone here to fix it though.Anyone?

This would get you sued and/or arrested. It's one thing to find an exploit and report it, but extorting the owner of the website is illegal.

Either follow responsible disclosure or forget you ever found the issue.

[mirhagk]

I think Nathan meant he'll go public with the story if the site owner refuses to fix it, which is actually exactly what responsible disclosure is (tell the site owner, and if they don't do anything after a reasonable amount of time, you can publish the details).

I really hope he didn't mean to say he'd sell the story to the sun without giving the site owner notice and time to fix it.

[Dan]

He said he would sell the story to sun in the same post he discussed splitting the profits of extorting the website owner to pay him to fix. He might have not meant it that way, but it would look bad enough to be evidence in a court case should the sites owner freak out and go to the authorities or start a law suit.

[Nathan4102]

Sorry if that came out wrong, Ill give him time to fix it first, before I publicise anything. Hes been trying to contact me all day today while I was out though, so I doubt itll come to that.

[Dan]

Even if you have no plans to extort them you should know that responsible disclosure does not normally go over well unless you have a lot of support behind you.

Most companies are not overwhelmed to hear that they are being accused of failing to secure there software (especially from a high school student) and often treat it as more of a threat than any kind of help. Ideally they will see the light and fix there site, however, they are just as likely to ignore you or threaten criminal or civil action against you.

I hope it works out for you, and the guy is not trying to contact you to threaten you.