The first security flaw I ever found was when the company I worked at used a cookie with an "encrypted" customer ID as sufficient to authenticate to their web app, which allowed you to access a lot of private details and run up substantial bills for the company via various phone services (e.g. you could easily use our API's to dial 30+ premium rate numbers and let the bills rack up...)
It was a big enough WTF that there was no nonce or time element to the authentication, so that if you got hold of a cookie you could replay it forever.
It was a bigger WTF that the "encryption" looked suspicious, and turned out to simply be base64 of the customer ID.
In a tripple whammy, the customer id that was "encrypted" was a sequentially assigned integer, so it took me about 10 minutes to demonstrate that I could access the accounts of everyone in the company and every customer simply by working backwards from my own id.
Thankfully my boss at the time was smart enough to not playing shoot the messenger. They thanked me, and were somehow amazed that I'd figured out how to "break" the encryption, and asked me to review their fixes, and we went back and forth a few times until it was reasonably secure.
I just updated a colleagues registration to a medical imaging professional body by working back from my own crap login/password which they chose. This was done to save him some time on a busy day. I noticed that his user ID was just a few digits different to mine so tried the same increment on the password. Surprise! I'm not sure how much damage one could really do, but deep frustration could easily be inflicted.
Once I decided to make my final.university assignment with Game Maker, and I.bought two copies for me and one for a teammate.
The thing started to refuse to launch after a update on Windows, and this started a long talk with their helpdesk and people in forums. Eventually I was convinced the bug was in their DRM, found a cracked.version, and indeed the cracked version worked just fine.
I told this finding to the helpdesk, hoping they would fix it, or at least say sorry...
Their reaction was call me a filthy pirate, delete all my support tickets, and after I wrote.the whole tale on.the forums they quickly hellbanned me, by removing all permissions.instead of.banning me, so other users.think.I left, not that I was banned.
Offtopic, but this is the second comment of yours where many space characters have been replaced by random periods. It really makes your posts more difficult to parse. Did you get a new keyboard or something? ;-)
Wow, I knew that the forces behind Game Maker at some point stopped having their customers'/community's best interest at heart, but I didn't know it was this bad.
I used to play an online soccer manager game. One day I found out - essentially because I had copy/pasted a bit of buggy javascript into their homebrewed forum to help them spot the bug - that the forum itself would execute any javascript a user put into their posts.
Alarmed, I notified everyone I could think of. And waited. Knowing these guys were infamously non-responsive, and that this was a pretty bad issue, I then posted about it for everyone to read to raise an uproar and get their attention. Which it did. And we all waited.
Finally, I posted a small script that popped up an alert with "You've just been infected by a nasty bug", put it in a few places with "tasty" subject lines to get people to click & read it.
Oh, they fixed the bug. I also received from the non-technical Forum Moderators - real quotes, I kid you not:
-- one week forum ban for "taking advantage of a bug" because "someone had to be punished for this"
-- one week forum ban for "spamming the forum" (I had post I had a great player for sale to get clicks, then explained the security flaw instead in the post)
Users were outraged at the bug; moderators of the forum were outraged that I had caused such a PIA by causing all these popups when they were trying to browse the (insecure) forum
I'm going to go out on a limb and day that it sounds as though your behaviour wasn't very responsible. Fair enough - there was a bug, it needed to be fixed. Bringing it to the attention of everyone in the way you did doesn't sound very mature.
Obviously you thought it was urgent and maybe the admins weren't being responsive enough. You have to keep in mind that priorities vary. Always keep in mind, there are real people on the other end who have to deal with this. What if your actions dragged an unhappy parent away from a sick child to deal with a PITA who thought his issue was so important as to demand immediate attention?
I dated a girl for a while who I stayed friendly with after we split up. She posted an online dating profile (circa 2003?) with just enough information about herself to be Google-able. Some guy Google'd her, found her on her university website (she was doing a PhD), and emailed her telling her she should be a bit more careful, and, PS, did she want to go on a date?
She replied calling him a creep, and reported him to the dating site.
Amusingly, I had almost this exact experience in middle school.
I'd figured out that the barcodes used on our school lunch cards were just plaintext for our ID numbers. With minor cooperation from a nice lunchlady, I discovered that there were a couple very low numbers (e.g. 00000001) that had effectively infinite funds. Presumably they had been used for testing or something.
I brought this to the attention of the schools tech guy, who thought it was very cool and said he'd go tell the administration so he could get permission to fix the issue.
Of course, being a middle schooler with access to a card printer, I also took this opportunity to reprint my lunch card with an identical design and barcode... And a Chuck Norris photo.
The administration asked to speak to me and I assumed I'd be thanked for finding an easy vulnerability that could have been losing them funds.
Instead I was told I would be expelled or at the very least suspended for a month, and that they thought this constituted a felony and identity theft. Ridiculousness of those claims aside... I ended up getting a away with weekend detention after my parents and the tech guy stood up for me.
Personally I am convinced that the purpose of the US educational system is to prevent kids from having a single creative though, at least until they are adults and can be bullied into being average.
This is basically the entire reason our public schools are in trouble in a nutshell. I honestly believe many school administrators would be happier teaching parrots because curiosity and problem solving are crimes.
During college I interned in a lab for a physical security device company that I will not name. They had state of the art magstripe readers/encoders, motion detectors, and all kinds of really cool stuff. One slow day we all decided to have a bit of fun with the magstripe encoder, and I changed my Wegmans Shoppers Club card to show the name 'DANNY WEGMAN' on the till whenever it was swiped. Aside from being admired by my younger brother that I had such powers, not once did a cashier notice.
We had a very similar situation at my college. ID cards with mag stripes were used for a lot of stuff-meal plans, restricted access academic areas, and housing. I had an inkling that these were pretty insecure, so I read mine and found that the mag stripe had a zero padded ID number, issue number, and a single digit XOR checksum. Through a separate issue, I was able to learn most student's IDs in the student intranet system. Also, all this info was printed on the front of the cards, which students did not secure well.
The lead IT guy was cool (we had a friendship from my first day there), asked me to read his card and we went and opened the server room. He escalated it up the chain. Not sure if it was ever replaced with something more secure (doubtful).
We ought to recognize that others may not understand how to respond to security vulnerability reports. We can use this knowledge to be a little bit more wise in our own behavior.
The best approach may be if you are unsure as to what the response will be when you feel like you need to disclose a security vulnerability is to do so anonymously.
I was once contracting at a company which developed software for the police and other emergency services. The server rooms all had electronic card readers on the doors so that only people with the right security clearance could get in.
One day there was a power cut which meant that all the card readers stopped working and we couldn't open the server room doors. After ten minutes of scratching our heads and worrying about the UPS batteries running out, someone had the bright idea of dragging a desk next to the door, moving a couple of ceiling tiles and climbing over the partition wall.
The guy didn't get fired but I'm not sure if that particular vulnerability was ever fixed.
This seemingly makes no sense and yet it is far from the only case I have come across.
If ever you find yourself discovering a security flaw then just pretend you never discovered it and tell no one. If you really want to be a concerned citizen - report it anonymously.
This is my position as well. History is replete with examples of people being punished harshly for reporting security problems. In the Randal Schwartz case, discussed in a link above, he was working for Intel and doing routine best practices security testing there that got him arrested and convicted. So even if you are working with complete authorization, if you have political enemies or just clueless people around, they can make the argument that you are the bad guy.
So stay quiet and let the real bad guys figure it out.
There are also many who make reasonable incomes selling exploits on the black market.
This is the same reason why credit card skimming still works in the US (no chip + pin here).
I got a magstripe reader for a project and had some fun swiping various cards and seeing what was contained. My drivers license had the number and my address which was interesting. The only cards I came across that weren't obvious plain text were hotel keys.
I am still surprised there is no chip & pin in the US, plus now they're rolling out "insecure by design" RFID chips so you can steal from someone without having to touch them...
Even their ATMs are defective by design, they spit out the cash before the card so a LOT of people leave their cards behind at the ATM, when this issue was solved like 20 years ago in the UK by spitting out the card first and beeping until you took it.
Here's a crazy idea. What would be the legal realities of putting the disclosure details under copyright, with a license (similar to a software license) that prohibits retaliation? Would it be possible? Would it work? I suspect that it would run into the same problems as shrink-wrap licensing, plus conflict with employment contracts which would deny the right to place such information under one's own choice of license, but maybe someone else can think of an angle that at least provides some benefit.
Unfortunately there still are persons that view those that find security flaws in products, and report them, as a threat to the stability of the world, like if the problem is an insult to them. Never got to understand them.
I wonder if they read it as blackmail. Like imagine you received a phonecall from a stranger saying 'Your house alarm is insecure. Someone could break in at night if they wanted to. You might want to think about that.'
A much milder version of this happened to me once. I accidentally discovered a rootkit on the server of one of my customers and reported it. Their initial knee-jerk was to ask me why I thought I had the right to put a rootkit on their server.
This is pretty much what working in university IT is like, yeah.
The less work you do, the more you'll keep everyone happy, and the higher your job security. If you try actually getting anything done, you will make people mad and lower your job security.
I suspect this is true in many/most large organizations, not just universities, yeah?
[+] [-] vidarh|12 years ago|reply
It was a big enough WTF that there was no nonce or time element to the authentication, so that if you got hold of a cookie you could replay it forever.
It was a bigger WTF that the "encryption" looked suspicious, and turned out to simply be base64 of the customer ID.
In a tripple whammy, the customer id that was "encrypted" was a sequentially assigned integer, so it took me about 10 minutes to demonstrate that I could access the accounts of everyone in the company and every customer simply by working backwards from my own id.
Thankfully my boss at the time was smart enough to not playing shoot the messenger. They thanked me, and were somehow amazed that I'd figured out how to "break" the encryption, and asked me to review their fixes, and we went back and forth a few times until it was reasonably secure.
[+] [-] lostlogin|12 years ago|reply
[+] [-] rdl|12 years ago|reply
http://w2.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case...
http://en.wikipedia.org/wiki/Randal_L._Schwartz
[+] [-] vidarh|12 years ago|reply
[+] [-] speeder|12 years ago|reply
The thing started to refuse to launch after a update on Windows, and this started a long talk with their helpdesk and people in forums. Eventually I was convinced the bug was in their DRM, found a cracked.version, and indeed the cracked version worked just fine.
I told this finding to the helpdesk, hoping they would fix it, or at least say sorry...
Their reaction was call me a filthy pirate, delete all my support tickets, and after I wrote.the whole tale on.the forums they quickly hellbanned me, by removing all permissions.instead of.banning me, so other users.think.I left, not that I was banned.
[+] [-] Udo|12 years ago|reply
[+] [-] Skoofoo|12 years ago|reply
[+] [-] jmadsen|12 years ago|reply
I used to play an online soccer manager game. One day I found out - essentially because I had copy/pasted a bit of buggy javascript into their homebrewed forum to help them spot the bug - that the forum itself would execute any javascript a user put into their posts.
Alarmed, I notified everyone I could think of. And waited. Knowing these guys were infamously non-responsive, and that this was a pretty bad issue, I then posted about it for everyone to read to raise an uproar and get their attention. Which it did. And we all waited.
Finally, I posted a small script that popped up an alert with "You've just been infected by a nasty bug", put it in a few places with "tasty" subject lines to get people to click & read it.
Oh, they fixed the bug. I also received from the non-technical Forum Moderators - real quotes, I kid you not:
-- one week forum ban for "taking advantage of a bug" because "someone had to be punished for this"
-- one week forum ban for "spamming the forum" (I had post I had a great player for sale to get clicks, then explained the security flaw instead in the post)
Users were outraged at the bug; moderators of the forum were outraged that I had caused such a PIA by causing all these popups when they were trying to browse the (insecure) forum
[+] [-] aidos|12 years ago|reply
Obviously you thought it was urgent and maybe the admins weren't being responsive enough. You have to keep in mind that priorities vary. Always keep in mind, there are real people on the other end who have to deal with this. What if your actions dragged an unhappy parent away from a sick child to deal with a PITA who thought his issue was so important as to demand immediate attention?
[+] [-] peteretep|12 years ago|reply
She replied calling him a creep, and reported him to the dating site.
[+] [-] hackerboos|12 years ago|reply
[+] [-] dylukes|12 years ago|reply
I'd figured out that the barcodes used on our school lunch cards were just plaintext for our ID numbers. With minor cooperation from a nice lunchlady, I discovered that there were a couple very low numbers (e.g. 00000001) that had effectively infinite funds. Presumably they had been used for testing or something.
I brought this to the attention of the schools tech guy, who thought it was very cool and said he'd go tell the administration so he could get permission to fix the issue.
Of course, being a middle schooler with access to a card printer, I also took this opportunity to reprint my lunch card with an identical design and barcode... And a Chuck Norris photo.
The administration asked to speak to me and I assumed I'd be thanked for finding an easy vulnerability that could have been losing them funds.
Instead I was told I would be expelled or at the very least suspended for a month, and that they thought this constituted a felony and identity theft. Ridiculousness of those claims aside... I ended up getting a away with weekend detention after my parents and the tech guy stood up for me.
[+] [-] tomjen3|12 years ago|reply
[+] [-] protomyth|12 years ago|reply
[+] [-] binarymax|12 years ago|reply
[+] [-] brokentone|12 years ago|reply
I built myself an arduino mag spoofer: http://lifehacker.com/5677465/diy-arduino-magstripe-emulator And figured out how to iterate through the issue numbers. Got into someone's apartment with their permission, then went to the IT people.
The lead IT guy was cool (we had a friendship from my first day there), asked me to read his card and we went and opened the server room. He escalated it up the chain. Not sure if it was ever replaced with something more secure (doubtful).
[+] [-] btipling|12 years ago|reply
The best approach may be if you are unsure as to what the response will be when you feel like you need to disclose a security vulnerability is to do so anonymously.
[+] [-] josso|12 years ago|reply
[+] [-] guard-of-terra|12 years ago|reply
[+] [-] kaoD|12 years ago|reply
[+] [-] sstarr|12 years ago|reply
One day there was a power cut which meant that all the card readers stopped working and we couldn't open the server room doors. After ten minutes of scratching our heads and worrying about the UPS batteries running out, someone had the bright idea of dragging a desk next to the door, moving a couple of ceiling tiles and climbing over the partition wall.
The guy didn't get fired but I'm not sure if that particular vulnerability was ever fixed.
[+] [-] SeanDav|12 years ago|reply
If ever you find yourself discovering a security flaw then just pretend you never discovered it and tell no one. If you really want to be a concerned citizen - report it anonymously.
[+] [-] droithomme|12 years ago|reply
So stay quiet and let the real bad guys figure it out.
There are also many who make reasonable incomes selling exploits on the black market.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] jonknee|12 years ago|reply
I got a magstripe reader for a project and had some fun swiping various cards and seeing what was contained. My drivers license had the number and my address which was interesting. The only cards I came across that weren't obvious plain text were hotel keys.
[+] [-] UnoriginalGuy|12 years ago|reply
Even their ATMs are defective by design, they spit out the cash before the card so a LOT of people leave their cards behind at the ATM, when this issue was solved like 20 years ago in the UK by spitting out the card first and beeping until you took it.
[+] [-] josso|12 years ago|reply
[+] [-] notacoward|12 years ago|reply
[+] [-] daigoba66|12 years ago|reply
http://web.archive.org/web/20061205043511/http://nique.net/i...
http://en.wikipedia.org/wiki/Billy_Hoffman
I met him while at Georgia Tech; he's an incredibly bright person.
[+] [-] deckar01|12 years ago|reply
[+] [-] deluxaran|12 years ago|reply
[+] [-] Tycho|12 years ago|reply
[+] [-] Vivtek|12 years ago|reply
[+] [-] peterkelly|12 years ago|reply
[+] [-] codeulike|12 years ago|reply
[+] [-] fredsanford|12 years ago|reply
Is this why most layoffs start with middle management?
[+] [-] jrochkind1|12 years ago|reply
The less work you do, the more you'll keep everyone happy, and the higher your job security. If you try actually getting anything done, you will make people mad and lower your job security.
I suspect this is true in many/most large organizations, not just universities, yeah?