5

Four years ago, I discovered that an applet on my college's website sends SQL queries directly to a server application. The databases contain nominal and personal information about students and grades, and possibly more (SSNs?), but I'm not sure as I haven't tried anything, because I'm a good person.

In December 2010, I warned them of the potential vulnerabilities, and they thanked me. I know for a fact that the CTO was warned.

Four years later, the application is still up. The mechanics haven't changed, and the (deobfuscated) packet capture still shows SQL requests going to the server from the client. It could be that the server somehow checks them against a list of valid requests or something, but I can't be sure, and there are probably a few tripwires that I don't want to risk triggering without formal authorization–which is not something that I expect to get.

What should I do?

AviD
  • 72,138
  • 22
  • 136
  • 218
Concerned Kid
  • 51
  • 1
  • 5
    Keep in mind that schools and colleges are notorious for being over-reacting asshats in response to security notices. Kids have been kicked out or even arrested over them. My advice would be to tread very carefully. – Polynomial Nov 04 '14 at 21:08
  • 1
    Report it again, and leave it at that. There is nothing much you can do until someone in the correct position to do something cares. – schroeder Nov 04 '14 at 21:41
  • 1
    Public Disclosure Time! :) – Stolas Nov 05 '14 at 10:35

2 Answers2

6

If you are no longer a student in that college, then you could sue them for not applying due care in the handling of your personal data. Technically you could also do that if you are still a student there, but no longer being a student means that they would have a harder time retaliating if they are so minded.

The crucial point here is that being a potential victim gives you an acceptable reason for putting your nose in these matters. Otherwise it would be all too easy to flag you as an Evil Hacker™ and handle the problem by throwing you in the lawyers pit, instead of actually fixing the software.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 2
    Depending on jurisdiction, he might not be able to sue unless there is actual loss. There is also the potential to alert his government Privacy watchdog office. – schroeder Nov 04 '14 at 21:51
  • schroeder, you can always sue. However to win a negligence suit one needs to prove an actual loss –  Nov 04 '14 at 22:24
  • 1
    A potentially lesser involved method would be to **threaten** to sue. It depends on the end goal. – Matthew Peters Nov 06 '14 at 15:23
2

Well i don't know where you're from, but in the Netherlands we've got something called the "National Cyber Security Centre" which is actually some kind of CERT. Besides security flaws in governmental systems you can also warn them about security flaws in other vital systems. If you live in the Netherlands you should take a look at it: https://www.ncsc.nl/security if you're living somewhere else I would recommend you to take a look at the governmental CERT's website of your country to see what they say about security flaws and responsible disclosure in systems of third parties.

On this website: http://www.first.org/members/teams you can find a list of CERT's worldwide with their websites.

Mike van L
  • 21
  • 3