1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I found a flaw, should I report it???

Discussion in 'White Hat SEO' started by CoyoteAssassin, Jul 23, 2011.

  1. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA
    I've been trying for months to get contact information for members of a particular website. Today, I somewhat found a way in.

    I found out that if I create an account and during the registration process, alter the URL, I can assign myself as the primary contact of that company. To confirm that it was legit, I did it a couple more times. Now, my (fake) email address and (fake) name are associated with this company.

    However, this still did not reveal the email address.

    So, I continued at it. Finally, I was able to alter the URL so that it would not only assign me to a company but allow me to view their employee list (and email addresses).

    Having said that, I could (in theory) assign myself to all records, grab the email addresses and run. That would be a huge mess for the system and I do not want that for the.

    So, is it OK (legally) for me to tell them that in exchange for their membership list that I will reveal the flaw?

    Thoughts? What would you do?
     
  2. reinie

    reinie Elite Member

    Joined:
    Jan 16, 2009
    Messages:
    1,574
    Likes Received:
    1,040
    Whatever you do, try to exploit it so no-one is negatively influenced or left with less... if not possible, walk away
     
  3. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA

    Yeah, I'm trying to leave as little footprint as possible although I know there will still be some. Though they will see errors, they will never know how they were generated.

    I can access Phone, Fax, Name, Address, Website, Company but not email. Blah!

    This is a huge list. So close, but yet so far. May just take the URL and hope that WHOIS will give at least some info.
     
  4. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA
    Ha! Sometimes it just takes venting and then taking a new approach. Look what I found in the HTML.

    The email was not displaying in the text box (that I would edit) but is in the source code.

    Sweet!


    Code:
    <div class="row"><label for="email">Email:</label><input type="text" id="email" name="email" value=""  /></div>
                               <input type="Hidden" name="origEmail" value="email@domain.com">
     
  5. BassTrackerBoats

    BassTrackerBoats Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    12,793
    Likes Received:
    22,058
    Occupation:
    I don't actually have a job
    Location:
    It's an Algo, of course it can be gamed.
    Home Page:
    Rather than semi-hacking the site, I would tell the owners of the issue, you may or may not be rewarded but in the long run you would be sleeping pretty good at night.'
     
    • Thanks Thanks x 7
  6. fanthomas

    fanthomas Registered Member

    Joined:
    Jan 25, 2010
    Messages:
    98
    Likes Received:
    31
    get the data and then tell them about the security issue and ask for a backlink if its a high pr site
     
  7. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA

    I'm going to grab the data now that I can get it but also let them know. Personal info such as DOB, SSN, or CC#'s are not included. I'm only interested in the email address.
     
  8. ┼blackrat┼

    ┼blackrat┼ Senior Member

    Joined:
    Jul 31, 2010
    Messages:
    899
    Likes Received:
    729
    Location:
    Sewer
    Hey look a coyote, should you shoot it?

    2 with one shot, get the list and then honestly tell them about the flaw, accept any rewards gladly.
     
  9. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA

    Blackrat - Did you type that last part? "Do both, get the list and then honestly tell them about the flaw, accept any rewards gladly."

    It is not in your posts but when I select Quote, it is there... weird.
     
  10. moggwai

    moggwai Junior Member

    Joined:
    Jul 15, 2010
    Messages:
    181
    Likes Received:
    69
    Occupation:
    College
    Location:
    Ireland
    Im was checking out your seo on your site and i discovered u have a serious error that allows me to do bla bla.. heres proof..

    Here,s what i would like to do, rewrite a contract to me and i can assure u this never happens again for $1500 a month etc ????

    WOOD from the trees my friend !!
     
  11. ┼blackrat┼

    ┼blackrat┼ Senior Member

    Joined:
    Jul 31, 2010
    Messages:
    899
    Likes Received:
    729
    Location:
    Sewer
    last minute editing lol
     
  12. hispdcha

    hispdcha Regular Member

    Joined:
    May 24, 2011
    Messages:
    289
    Likes Received:
    133
    For you to know about the problem, you had to create it, am I right? If they have an IT security team or know anything about computer security, they may report you. I would just get the list and then send them a FULLY anonymous letter through snail mail telling them the problem. Do not, in anyway, give them your contact details or let them get any information on you. I would take the list and leave it be.
     
  13. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA

    No, I did not create a problem. I simply found a whole in the system that will allow me to alter the URL so that I am able to gain access to other records.

    They do have an IT person (individual). The company is a local group. The web is something they have just because it is expected. They make no money from the website, do not sell anything or the likes.

    But yeah, I'll get it and run.
     
    • Thanks Thanks x 1
  14. Jonny13131

    Jonny13131 Regular Member

    Joined:
    Mar 29, 2010
    Messages:
    222
    Likes Received:
    75
    I would recommend that you reveal the flaw and when they thank you (at least they should do) ask if you can have the email addresses in return. Don't say I found a hole in your system and I will tell you what it is if you give me the email addresses. If you say that you will look like you are blackmailing them.
     
  15. other_henry

    other_henry Junior Member

    Joined:
    Jun 1, 2011
    Messages:
    107
    Likes Received:
    19
    Occupation:
    Freelance coder, server guy
    Location:
    US
    If you decide to tell them about the flaw don't ask for anything in exchange, you might be accused of extortion.

    When you report something like this there will be some very pissed off & embarrassed people looking to shoot the messenger.

    I suggest that you report it anonymously using the anon remailer network.
     
  16. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA
    Thanks guys for the comments. I appreciate the different opinions and looking out for the other party.
     
  17. zerocoolflo

    zerocoolflo Regular Member

    Joined:
    Feb 7, 2011
    Messages:
    495
    Likes Received:
    150
    Occupation:
    Student
    Location:
    Romania
    "hello , sorry to bother you, I've discovered a major flaw in your ****** and you can say that it is quite big because anyone who discovers it can access ***** . "

    I can report/fix the problems that you have, providing proof after so you could be assured that I'm not trying to scam you.

    Because your data is important to everyone ( especially you),and considering the gravity of the problem, the fixing/reporting ( if you know how to fix it go with fixing ) fee would be xxx.





    Basically I would use something like that and make a little income

    Have a nice day
     
  18. cheatson

    cheatson Newbie

    Joined:
    May 7, 2011
    Messages:
    40
    Likes Received:
    7

    You would have to be ultra confident that the other party would not view this as extortion even if it isn't strictly. One little thrown out law suit is still going to be expensive.
     
  19. zerocoolflo

    zerocoolflo Regular Member

    Joined:
    Feb 7, 2011
    Messages:
    495
    Likes Received:
    150
    Occupation:
    Student
    Location:
    Romania
    Eh, you don't do anything bad imho

    You actually help the webmaster by telling him that he has problems and you offer yourself to help

    What idiot would sue someone who tries to help him ? ( if yes, for what and probably wasting time/loosing )

    Lmao ;)
     
  20. cheatson

    cheatson Newbie

    Joined:
    May 7, 2011
    Messages:
    40
    Likes Received:
    7
    In my opinion you should just leave the list alone if it is company emails and don't report the finding to them could be more trouble than its worth.

    Compare the value of work email conversions not caught by their auto filter with the prospect of being investigated should they see a pattern in the spam and link this back to you as a hacker (if you were to contact them). I am assuming you didn't "find" the list initially without using a proxy?