top | item 47096294

(no title)

lucb1e | 9 days ago

You don't need to retrieve other people's data to demonstrate the vulnerability.

It's readily evident that people have an account with a default password on the site for some amount of time, and some of them indefinitely. You know what data is in the account (as the person who creates the accounts) and you know the IDs are incremental. You can do the login request and never use the retrieved access/session token (or use a HEAD request to avoid getting body data but still see the 200 OK for the login) if you want to beat the dead horse of "there exist users who don't configure a strong password when not required to". OP evidenced that they went beyond that and saw at least the date of birth of a user on there by saying "I found underage students on your site" in the email to the organization

If laws don't make it illegal to do this kind of thing, how would you differentiate between the white hat and the black hat? The former can choose to do the minimum set of actions necessary to verify and report the weakness, while the latter writes code to dump the whole database. That's a choice

To be fair, not everyone is aware that this line exists. It's common to prove the vulnerability, and this code does that as well. It's also sometimes extra work (set a custom request method, say) to limit what the script retrieves and just not the default kind of code you're used to writing for your study/job. Going too far happens easily in that sense. So the rules are to be taken leniently and the circumstances and subsequent actions of the hacker matter. But I can see why the German the rules are this way, and the Dutch ones are similar for example

discuss

DANmode|9 days ago

> You don't need to retrieve other people's data to demonstrate the vulnerability.

If you’re reporting to a nontechnical team…which sometimes you are…sometimes you do?

lucb1e|8 days ago

If the nontechnical team is refusing to forward it to whoever maintains the system, they apparently see no problem and you could disclose it to a journalist or the public. Or you could try it via the national CERT route, have them talk to this organization and tell them it's real. In some cases you could send a proof of concept exploit that you say you haven't run, but they can, to verify the bug. You can choose to retrieve only your own record, or that of someone who gave consent. You can ask the organization "since you think the vulnerability is not real, do you mind if I retrieve 1 record for the sole purpose of sending you this data and prove it is real?"

In jurisdictions like the one I'm most familiar with, it's official national policy not to prosecute when you did the minimum necessary. In a case where you're otherwise stuck, it's entirely reasonable to retrieve 1 record for the sake of a screenshot and preventing a bigger data leak. You could also consider doctoring a screenshot based on your own data. By the time they figured out the screenshot was fake, it landed on a technical person's desk who saw that the vulnerability is real

Lots of steps to go until it's necessary to dump the database as OP did, but I'll agree it can sometimes (never happened to me) be necessary to access at least one other person's data, and more frequently that it will happen by accident

habinero|8 days ago

Absolutely not. That's not your concern nor your problem.

They're perfectly capable of hiring incident response experts, and companies commonly have cyber insurance that'll pay for it.

"Demonstrating" is dumb and means you turn an ordinary disclosure into personal liability for you.

Blabbing about it on the internet is just the idiot cherry on the stupid cake.

svrtknst|8 days ago

If you flip it, we have a dude here admitting to breaching a large number of accounts and gaining access to PII -- including PII about minors.

Are we and the Maltese government just going to trust this guy and assume he has actually deleted everything, with no investigation?