11

I was browsing a site recently that looked like it had been designed in 2000. However, this site has a good Alexa rank and a fairly active online community. For the protection of the site, I will not give specific details about the site.

I found a trivial reflected XSS on one page when I followed a broken link and saw that a URL parameter was reflected in the HTML. I dug some more and found a few other reflected & stored XSS holes. I looked for contact information on the site, and found the email of the admin and a page about the site's security.

On this page, the owner bragged about the security of the site, making some claims irrelevant to XSS. The owner also said that if you even attempt to hack the site the owner will tell the FBI and I don't want to get in legal trouble for submitting a security hole. The owner also claims that the site is valueless to anyone who breaks in because no important data is stored. However, the site has a login with usernames and passwords, and XKCD #792 tells us that stealing passwords is a very big deal.

The security page also claims that text is well sanitized and unsafe text is stripped. However, the only adjustment I had to do to get reflected & stored XSS was to make the HTML tags uppercase (lowercase tags were stripped, possibly in an unsafe way.)

I am unsure about how to report a security hole to this website without getting arrested. What should I do?

Anders
  • 64,406
  • 24
  • 178
  • 215
user175564
  • 111
  • 4
  • 7
    You don't want trouble? Stay out of this. There are lots and lots of cases of people with good intentions burned when trying to help. – ThoriumBR Apr 12 '18 at 21:29
  • @ThoriumBR I don't want trouble, but I also want the owner of the website to know that the site is vulnerable. – user175564 Apr 12 '18 at 21:47
  • 3
    This document: https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet might give you some ideas on what to do. Especially this: "alert trusted 3rd party like National CERT, Data Privacy regulator if apply. Eventually, some security researchers like Brian Krebs or Troy Hunt (non-limitative. check your network first) can be intermediate too or provide support." – Patrick Mevzek Apr 12 '18 at 22:09
  • Also if the company is doing any kind of business, they may be under some regulations like PCI-DSS or in any case being watched by consumer organizations and/or government services around commerce, competition and such, and they may help (or not). – Patrick Mevzek Apr 12 '18 at 22:12
  • 2
    Not sure what kind of answer you're looking for. There is no mechanism that stops an agitated owner from calling authorities on you, except not giving away your identity in the first place. – Arminius Apr 12 '18 at 22:13
  • 1
    There is no such thing as a "valueless site". An XSS attack on that site means the attacker gets a free high-ranking site (<6000 Alexa is quite good) from which to distribute ads, malware, etc. – forest Apr 13 '18 at 05:08
  • If you want the owner of the site to know it is vulnerable but don't want to contact them anonymously, you could reveal the site and allow another SE member who may have more experience with these kinds of reports report the issue to them. – forest Apr 13 '18 at 07:12

1 Answers1

10

If you're really just trying to help out for the greater good, you can send a message anonymously using something like Guerrilla Mail over Tor. Believe there's also a Tor hidden service for/like this, but I'm at work right now and can't check to see if it still works.

AJAr
  • 1,682
  • 1
  • 9
  • 19
  • 6
    Of course, they may have already logged some information about the OP when they were testing for vulnerabilities. – Alexander O'Mara Apr 12 '18 at 20:56
  • 1
    That's an interesting idea, but I'd prefer to not be anonymous *if* I can do so safely. Also, [Guerrilla Mail has been traced](https://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor). – user175564 Apr 12 '18 at 21:21
  • 3
    FWIW, I wouldn't interpret that article to mean that Guerrilla Mail is an unsafe solution. Just says the service likely helped identify the origin as Tor, authorities checked network logs and saw the student was on Tor, and he confessed when confronted. But I agree with ThoriumBR if you don't want to remain anonymous... – AJAr Apr 12 '18 at 21:46
  • @user175564 you may send the initial e-mail from an anonymous account via Tor, signing the message with GPG. In case you'll get a positive feedback and the vulnerability would be fixed, you can later uncover your identity and prove that it was you who has initially reported the flaw. Besides that, personally I doubt that FBI is really going to go after a person who just happened to look at the HTML source of a Web page. – ximaera Apr 13 '18 at 08:29
  • Yeah, an issue with Tor is that at the very least, it's usually easy to check if you at least have used Tor directly. If you're already on the list of suspects (in the case in question, that was all Harvard students), the odds are good that you're one of the few or the flat out only person who used Tor, since it has a very tiny consistent user base. Using a VPN with Tor could avoid that, but if the Tor entry node is compromised, they could repeat the same process (checking who used that VPN). Mind you, the OP probably isn't on a narrow suspect list in the first place. – Kat Apr 17 '18 at 18:56