lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 19 Sep 2005 00:11:30 -0700
From: "Sean Warnock" <swarnock.removeme@...nocksolutions.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Subject: Dumb Question


        First of all I want to say hello to the few people that I meet at
Toorcon 2005.  For my first security conference you guys helped make it
magical.  Also greets go out to the guys from the San Fernando Linux users
group.  You guys are great and I'll have to make it your way one of these
days. 
        The real reason of this post is to ask about how to handle
"responsible reporting" of a bug.  I have found what I believe to be an
information disclosure vulnerability on a website.  The website is an online
dating website (yes I realize this is a little pathetic, don't ask.).  I
have been able to read any message sent to any user in the website by simply
modifying the HTTP GET request for a message ex.
"www.somesite.com/mymessages/displaymsg.cfm?mid=XXXXXX" where XXXXXX is the
message id to pull.  This apparent attack requires that you are logged into
the site before you can pull messages.
	The only hitch is that the site seems to be sending messages to its
own users to generate revenue.  I have been able to walk up and down through
several hundred messages that are timed stamped within a few minutes of each
other and have the exact same message text.  The only difference between the
messages is the sending person.  I do find messages that are completely
different but they are generally at different times.  I believe that what
this site is doing could or should be considered fraud (and yes I did
personally fall for this, again don't ask).

<newbquestions>
1.	If I report this problem what kind of legal ramifications should I
look at?
2.	Who would I report this sites possibly illegal activities to?  I
believe what they are doing could fall under fraud but I really have 	no
idea if current law would cover this?
3.	Finally, what would be some possible avenues for reporting this to
the 	press to simply embarrass the living daylights out of the people who
run this website?  If I pulled enough data to prove this could this 	get
me into legal trouble?
4.	Final thought-- any suggestions beyond my questions are welcome
except 	DOSing the site.  I am a little upset with there behavior but not to
the point of doing anything illegal myself or prompting others to do
something illegal.
</newbquestions>

Any suggestions are welcome both on and off list.

Sean

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ