3

I found a security issue on a politician personal site about two weeks ago. The site is still very active and has a bunch of visitors every day. The breach is very stupid and I'm probably not the first person to find it but a .htaccess is missing in the admin part of the site so that I can just log as an admin by typing www.thesite.com/admin and I can access all personal data from the members, I can post an article, suppress everything etc... As it is a major issue I tried to contact someone on the site but there was no webmaster contact, just the politician personnal address and his secretary's address. I sent about three messages to them but they didn't answer.

Question: Should I just forget about it as it is their problem, not mine? Or find another way to contact them? Could what I've done be considered as illegal since I've been able to see all personal information about their members?

EDIT : My question have been identified as a possible duplicate of another question but in my case I know pretty much what I should do (I already sent messages), I was just wondering if I should let it go or not.

Community
  • 1
Shashimee
  • 405
  • 3
  • 10
  • 3
    Bug reporting like this tends to be a grey area - sometimes they praise and reward you and other times they prosecute you. Imo your best bet is to find another way to contact them and put in an anonymous tip. That way, you can protect your identity in case they're not so welcoming, while still informing them of the vulnerability. It's important that you disclose it to them and give them time to fix it before disclosing it publicly, for ethical reasons. Also, [this](http://security.stackexchange.com/questions/52/how-to-disclose-a-security-vulnerability-in-an-ethical-fashion) SSE question. – Paradox Jun 30 '16 at 13:00
  • Entertaining advice @AndréBorie, but I don't think recommending that the OP take destructive and potentially illegal action is the right thing. Especially as such a leak will disclose personal data about users. It's not just the site, but all of those people that will be affected – Neil Smithline Jun 30 '16 at 16:24
  • @NeilSmithline It is of course a matter of opinion, I am just sharing mine. However, at some point if the developers are unresponsive it is better to go public than doing nothing. The public outcry may pressure the developers into taking action, and if not at the very least everyone will know the system is not secure (vs. having a false sense of security while the few blackhats who do know about the vulnerability quietly exfiltrate their info). – André Borie Jun 30 '16 at 16:26
  • I wasn't really arguing against what you said @AndréBorie. But I think such a recommendation must make it clear that the actions may hurt the site's users and is potentially illegal. We've now done that. (You may even want to make it a full answer as I think it is reasonable course of action.) – Neil Smithline Jun 30 '16 at 16:31
  • Actually we already have a [similar question](https://security.stackexchange.com/questions/52/how-to-disclose-a-security-vulnerability-in-an-ethical-fashion) which suggests a similar approach, albeit in a less blunt fashion. – André Borie Jun 30 '16 at 16:38
  • One of the main questions against you is (in case they want to prosecute you): Why you were trying to enter into the "admin" area? – lepe Jul 01 '16 at 02:11
  • Yes it's what I thought : how to explain it. Maybe I just should'nt explain it at all unless they ask me. Maybe I wanted to see if there was an admin interferce just to know. – Shashimee Jul 01 '16 at 07:14

1 Answers1

2

You should endeavor to disclose the vulnerability in a responsible and ethical fashion.

look for a contact email of the individual who owns the site as well as anyone that does admin on it. Look up whois, this may have contact information for the person who registered the domain or a contact page on the site, I do not recommend using any information that you has exposed by the bug to contact the person, as you may find yourself in legal gray area.

Detail the vulnerability, how you discovered it and any methods they can use to replicate it (which looks easy in this case). I would also inform them of any fix as well if you know one.

Additionally you can explain what risks they face by leaving the vulnerability unchecked.

If you have made best endeavor to disclose this ethically and they do not do anything about it, you have two options; Inform them that you will give full disclosure to the public after a fair amount of time, or decide that as it is a personal site that you will not disclose it to the public and go on with your life.

Personally as peoples personal details are exposed and the person who owns the site is a public official I would give them fair warning and then go public.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • I understand what you say by 'go public' but I don't know how/where to do that. Could you explain please ? – Shashimee Jul 01 '16 at 09:09
  • For something like this a blog post or a social media post would do. You could submit it mailing lists like bugtraq or full disclosure as well. Personally I would blog about it and post it on reddit's netsec page or something similar. – TheJulyPlot Jul 02 '16 at 08:14