18

A few weeks ago I found that someone has posted admin account details for a certain website on a public wiki by mistake. As I found that data to be real (i.e. I could log into their website run by Wordpress), I immediately did the following: I removed the sensitive data from that wiki, I asked the wiki admin to permanently remove all revisions of that page and I wrote an email to the admin to inform him about it and ask him to change his password as soon as possible.

To make it worse, the security issue doesn't just involve their website, but also personal data of their nearly 2000 users. To top it off, the website is about organizing high-profile IT events (including events about IT security).

Now it's three weeks later and nothing happend (i.e. neither did I get a reply nor did the admin change the password). If I were the admin, I know what should be done. But how to handle this situation when the admin won't handle the issue professionally? So far, I only send them a second email today.

I can think of three things to do, but I'm not sure if I'm legally on the safe side here?

  1. Send an email to all users to inform them about the issue.
  2. Write a blog post on their homepage like "This website has been compromised". (I am sooooo tempted to do that. I feel it's morally fine, as I wouldn't change anything else and feel their user base needs to know about the issue. But I'm not sure if I could be in trouble if I did that?)
  3. Inform the Federal Trade Commission about it. (The website is based in the US.)

Do you have any advice on what I am legally and morally allowed and obliged to do?

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
selfthinker
  • 285
  • 1
  • 6
  • 6
    I am very concerned that you have admitted accessing a system without authorization. You might very well want to cut your losses and stop now. Do not even attempt to go to that site again. If you get their attention they might just sic their lawyers on you. – Andrew Russell Jun 26 '11 at 01:06
  • 1
    Note the disafected person who posted/leaked the admin account details might be the only one reading the email that you originally sent. – Andrew Russell Jun 26 '11 at 01:08
  • 2
    As I have just learned that accessing a system without authorization can be a crime in some countries, your concerns may be justified. But I don't see anything ethically wrong about it (because I haven't done anything bad with that access and only have good intentions) and think keeping that access willingly (?) open is a much bigger crime. Stopping now won't help at all, as they already have my details anyway. But I (obviously) won't log in again. – selfthinker Jun 26 '11 at 10:42

2 Answers2

14

For legal advice you need to seek a lawyer. In some countries it is already illegal to do a "test" login with an account that does not belong to you.

What I would do?

If the IT-department does not answer and does not fix the issue, you should try to reach other people at the company, especially upper management, public relation, customer relation, high level support.

Contact the CERT that is responsible for you or that company. They have lots of experience in getting attention from the right people. So in this case the US CERT.

The moderators of the Bugtraq mailing list have been helpful, too.

Other ideas

Paper mail may get you more attention easier than electronic mail, especially if it is a paper mail with delivery confirmation.

You can try to reach them by phone. This is probably the most efficient way, but be careful that they cannot claim later that you tried to blackmail them.

You can tell them that you will try to reach them via public media on the xxxx-xx-xx (2 weeks from now) as the last resort if you cannot get through to them. But again, make it very clear that you just want a confirmation that your report has been received.

You can reach out for the media right away, perhaps agreeing with them in advance that they will contact that company before publishing the story.

You surely should not abuse the admin account to change any content on their website, including making a blog post.

If you go public yourself as blog post on your side, on your user page on that wiki, I'd do that in the form of an open letter: A short introduction saying that all your tries to reach the company have failed so far, therefore you are publishing this letter in the hope that it will finally be noticed by that company. Perhaps add that you have decided to go public because you feel ethically pressured to warn people who's personal data is at risk. And then the original email. It may be a good idea to redact the details (e. g. the password and the name of the wiki page if it's still in the history).

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • Thanks for the extensive advice. In my second email I already included another person of that company. I'm not sure if the company is "important enough" for reporting anything publicly. I'd only do that as a last resort. I guess I will wait a few days, and if they still haven't replied, I'll contact the CERT as you suggested. – selfthinker Jun 25 '11 at 22:38
8

In this case, I would be tempted to invoke Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity. They're probably not evil, they may just have that admin account going to an external web designer / employee who has left the company / some other un-monitored email account.

My suggestions would be:

  • Call them on the phone, and try to reach someone in management, and tell them in plain simple language what the problem is.

  • Over here in Scandinavia, we have a public register of companies and foundations etc. This register be accessed online, and the addresses of the members of the Board of Directors can be found. If you can do the same, then call them, or send them a letter (paper mail) explaining the issue, and that you have twice tried just reaching the webmaster. This should certainly get their attention.

Regardless of what your personal feelings are, I don't think a public humiliation is the right answer. It's not that I mind shaming them for their acts; it's more that:

  • A public display might invite bad people to compromise their systems further before these guys get their security cleaned up.
  • The site owner might be tempted to aggressively blame you, in order to deflect attention away from their own mistakes (here's one example of that.).
  • Thanks for your answer. It's not so much about shaming, it's more about finding the best way of letting their users know that their details were at a potentially high risk of having been stolen. (Although the shaming is a human desire I feel as well. ;-) But that's easy enough to resist.) In this case the person I contacted is the CEO of that company, so it's quite safe to assume that he (or his secretary) regularly reads his emails. – selfthinker Jun 25 '11 at 22:46