5

I seem to find myself doing this a lot. Maybe there's something about colleges and universities contracting out to bad webdev firms, but I've emailed 3 different firms to complain about them holding passwords in plain text.

One of them, UCAS has the majority of my personal details, and refuses to acknowledge that it's bad that they send your email, password and ID number in an unsecured email when you go through a 'lost password' form.

At the end of the day, I want to help firms improve their software, for their sake and mine, but it seems many take it personally or as if I'm discrediting the company when I point out a flaw.

I always emphasise that I'm reporting it as I want the problem to be fixed, and that I have no intention of exploiting it or sharing the details.

What can I do to increase the likelihood of a successful outcome in this situation?

Is it even my place, as a user of the system, to do this sort of thing?

jackweirdy
  • 275
  • 3
  • 12
  • 2
    UCAS keeps passwords in plaintext? Keep shaming them. That is disturbing. Maybe an email from a single source won't do much good, how about a collective approach? Would you mind also posting their email responce, the relevant bits? Cheers – rath Sep 06 '13 at 17:17
  • I'll post it shortly. Haven't emailed them in a while, did it twice, only got a stonewall response first time, then they never replied – jackweirdy Sep 06 '13 at 17:19
  • @rath here is the email conversation, if you're interested https://www.jackwearden.co.uk/ucas.txt – jackweirdy Sep 06 '13 at 17:33
  • 1
    I would be careful about this if you are a student. Sometimes management can be ignorant and shore sighted --> http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html – Eric G Sep 08 '13 at 06:13

1 Answers1

1

I would politely email them informing them that you have discovered a security vulnerability (i know you've done this already) and then show them evidence (you capturing your friends information through wireshark, for example. With informed consent on your friends part) and a polite explanation of how trivial it would be to capture information from hundreds of students in the course of a day, without even having to sit at the computer.

I, personally, would also volunteer to that you would be happy to show them what the vulnerability was, and let them know that you plan to present their solution school newspaper (newsletter whatever) so that they can show how they are always improving and even catch mistakes made by other groups (like their web dev people)

So, honestly the biggest thing is usually to give them a deadline and to let them know that this will be published and when you plan to. This gives them a deliciously evil choice....fix it and look good for fixing what was a bad problem, OR not fix it and look like they don't know what they're doing for not checking things that they should be aware of. It becomes their problem of how they are going to look, not YOUR problem

EDIT: I read your email transcript. My last paragraph holds true. The best usual thing to do on these is tell them that you intend to publish to whoever that you have found a vulnerability. Dont be overly annoying (YOU HAVE THREE DAYS OR I GO PUBLIC) give them a decent amount of time a couple weeks to a month for them to fix this.

At the same time, they could probably find or even make a replacement for this within a few hours if they're good or a day or two if they had to build it from the ground up. Use your best judgement.

PsychoData
  • 296
  • 1
  • 11