3

I've read this post at length, but I believe this question is subtly different.

Consider this scenario: a municipal, non-profit organization has a website with authentication (username, password). The authentication protects user data; money is not involved (if that matters).

With the best intentions, Person A publishes an auto-login PHP script with full details of the login procedure (specific URLs, session info in cookies, etc), provided that a user has a valid username and password.

[Edit]: this script uses PHP/cURL. It is not part of a webpage; it is executed from the command-line. It contacts the website URL, establishes a session, and sends an HTTP POST to login. The script may continue to pull user data as appropriate for the domain.

On one hand, the PHP script simply mimics the protocol used by the browser: there are no exploits. The intent is "DIY hacking", my term for "power users doing innovative things". This is not white, grey, or black hat stuff.

However, it is true that the script/info can easily lead to a derivative work that iteratively probes for authentication details: a security hack.

[Edit] as clarification (for commentators and others), consider the following:

  • The municipal, non-profit organization does not dedicate many resources toward security. This includes default passwords, login attempt limits, and so on.
  • Before publication of the PHP script, if a black hat wanted to compromise an account, s/he would have to automate the browser, use a network sniffer, or research the login details and write the PHP script, etc.
  • After the publication of the PHP script and login details, a black hat could reasonably modify the PHP script (a derivative work) so that, given a username, it simply iterates over possible passwords until one is found. It might also probe for other usernames. The work to research login protocol is already done and documented.

My question is: does Person A have an ethical responsibility to alert the organization that the info has been published? does Person A disclose the possibility of the derivative work?

Similarly, if Person B discovers the publication and realizes the potential consequences, is there a burden on Person B to alert the community, even though the derivative work does not exist? That is to say, does s/he proceed as described in this post?

Community
  • 1
Michael Easter
  • 81
  • 8
  • 1
    I don't understand the security problem. Logging in when you know the password seems by-design to me. Are you worried that people get fished and enter their password on some third party website that hosts the php script? – CodesInChaos Sep 21 '13 at 20:09
  • If you really believe Person A should accept responsibility or apologize for a possible unrelated future event that is only similar because it logs into this web site, why don't you believe the organization is at fault for even creating the login system in the first place? Under this logic, couldn't they foresee that it might eventually be used by someone up to no good? – quietmint Sep 21 '13 at 20:22
  • I will edit the post but my concern is that the PHP script can be easily altered to try, iteratively, random username/password combinations until an account is cracked. It is not an unrelated future event. It is an obvious and simple augment to the PHP script. That said, I am open to answers of "no, there is no ethical duty". – Michael Easter Sep 22 '13 at 00:21
  • This doesn't seem fundamentally different from any other open source code that may potentially have black hat applications. A tool is a tool; the intent of the user is what matters. – Jonathan Garber Sep 22 '13 at 06:00

3 Answers3

5

From what I understand of your question, my opinion is No.

You describe a web based brute force tool, sans the brute force capability. In short, what you describe is a couple of lines of code that almost anyone could make in a couple minutes. There exist many web based brute force tools, so if this particular script didn't exist, it wouldn't make much of a difference, as most attackers probably have their own tools they are familiar with and wouldn't need to use yours.

Most web based login functions are pretty basic and easy to reverse engineer due to the nature of the web. Most sites are HTML/JS that do not use compiled code, and most don't obfuscate their scripts.

If the design of the login function is so secret that the details cannot safely be disclosed, then there are much larger security implications than some script floating around. You shouldn't need to hide the process of authentication in order for it to be secure, this is considered security through obscurity and has no place on the internet.

The server side should be enforcing login rules that limit the number of unsuccessful attempts. It really makes no sense to move security away from the server to the client as there is no realistic way of controlling what a client is doing.

David Houde
  • 5,464
  • 1
  • 27
  • 22
  • I agree with most of your post. There is a disconnect here though: I am not asking if Person A should publish the info. I am asking: assume that Person A does publish the info, do they have an obligation to alert the website at the possible ramifications (for starters, that obfuscation has been completely unveiled), and collaborate with them on a solution? – Michael Easter Sep 22 '13 at 15:28
  • I see what you are getting at, but I don't feel as though there is a legal or moral obligation in this case. People can debate for days about responsible disclosure, so obviously this is all opinion. I guess it all boils down to your motives, but it might be nice to alert them if you are doing this as academic or professional practice. – David Houde Sep 22 '13 at 17:46
0

No.

Neither Person A nor Person B is obliged to alert the website.

The IT staff is probably aware of the vulnerability, and have made the choice to live with the risks (likely to put resources elsewhere).

The script does not contain exploits, and uses open standards. It may imply a derivative work at the "script kiddie" level, but prior to its publication, the site was likely vulnerable to basic threats. The login details are not difficult to discover, and so a black hat could obtain that info easily.

Moreover, if finances are not involved, the impact of a breach is low.

Finally, this discussion descends into a purely philosophical discussion about morality. The security hack may not exist. We have bigger fish to fry.

Michael Easter
  • 81
  • 8
0

Yes.

Person A and B should alert the website of the potential consequences of the post.

At the very least, it is a professional courtesy (assuming Person A or B understands the risk).

It is also ethical: we live in a digital age, and those who are literate in security should assist others in understanding the consequences of disclosure. This is not to say that the original publication should be suppressed. Rather, it should be full disclosure:

  • here is a DIY hack
  • here are the potential security ramifications
  • here are possible fixes to security concerns

Finally, there is hardly a reason not to take some kind of action.

Why assume the fix is expensive? One remedy might be an email to users, advising that they improve the strength of their passwords.

Why assume the impact is low? The website may use software (or a framework) that used by many others. Also, privacy is privacy, whether it be financial or not. Imagine a library hack where someone else can read your checked-out books ("Wedding Proposals for Dummies") or place holds in your name ("Divorce for Dummies").

It may be true that the security hack doesn't exist, but if it can reasonably be done, it is safer to assume it will be written, and take some measure of ethical disclosure.

Michael Easter
  • 81
  • 8