0

I was collecting sites that use a system we're going live with. Just URLs and nothing more, so we can see what others have done with the same system to give us ideas.

Since I know how the system works, curiosity got the better of me. We whitelist our deployment so I went through a few and noticed their admin sections were not whitelisted.

At this point, I just thought "hmm, interesting". A password prompt comes up and I just put a random admin/password without any thought and I actually got in.

I realise the without thought part might come back to bite me. I want to disclose this to the company but not sure how I should go about it. It's a multinational brand. I havetried reaching out to them via email and Twitter but still nothing back.

Any advice? Do I just do it anonymously? Would it be useful to publicly disclose at some point?

schroeder
  • 123,438
  • 55
  • 284
  • 319
pee2pee
  • 277
  • 3
  • 18
  • 3
    The question you are asking is about "responsible disclosure". – schroeder Jan 25 '17 at 13:02
  • And probably related [How to disclose a security vulnerability in an ethical fashion?](http://security.stackexchange.com/questions/52/how-to-disclose-a-security-vulnerability-in-an-ethical-fashion?rq=1) – Tensibai Jan 25 '17 at 13:27
  • 1
    Check that company's website to see if they have a responsible disclosure policy. It's disappointing that they have failed to respond to your email/twitter and may be worth seeing if you can contact one of their development teams or security email addresses (eg: abuse@x.com or spam@x.com). After a reasonable amount of time you may wish to publicly disclose. – iainpb Jan 25 '17 at 13:31
  • I'm not sure that this is a duplicate. Here OP did try a password to access an Information System. He may have done it *without thought*, but with no special authorization to do so. It cannot be self evident without trying, so a public disclosure cannot be responsable not ethical. That being said not warning the security manager once the problem is disclosed would be *unfair*. – Serge Ballesta Jan 25 '17 at 15:49

0 Answers0