Dumb Question

From: Sean Warnock (swarnock.removeme_at_warnocksolutions.com)
Date: 09/19/05

  • Next message: bugtraq_at_morph3us.org: "[BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9" 
    To: "Bugtraq" <bugtraq@securityfocus.com>
Date: Mon, 19 Sep 2005 00:11:30 -0700

            First of all I want to say hello to the few people that I meet at
    Toorcon 2005. For my first security conference you guys helped make it
    magical. Also greets go out to the guys from the San Fernando Linux users
    group. You guys are great and I'll have to make it your way one of these
    days.
            The real reason of this post is to ask about how to handle
    "responsible reporting" of a bug. I have found what I believe to be an
    information disclosure vulnerability on a website. The website is an online
    dating website (yes I realize this is a little pathetic, don't ask.). I
    have been able to read any message sent to any user in the website by simply
    modifying the HTTP GET request for a message ex.
    "www.somesite.com/mymessages/displaymsg.cfm?mid=XXXXXX" where XXXXXX is the
    message id to pull. This apparent attack requires that you are logged into
    the site before you can pull messages.
            The only hitch is that the site seems to be sending messages to its
    own users to generate revenue. I have been able to walk up and down through
    several hundred messages that are timed stamped within a few minutes of each
    other and have the exact same message text. The only difference between the
    messages is the sending person. I do find messages that are completely
    different but they are generally at different times. I believe that what
    this site is doing could or should be considered fraud (and yes I did
    personally fall for this, again don't ask).

    <newbquestions>
    1. If I report this problem what kind of legal ramifications should I
    look at?
    2. Who would I report this sites possibly illegal activities to? I
    believe what they are doing could fall under fraud but I really have no
    idea if current law would cover this?
    3. Finally, what would be some possible avenues for reporting this to
    the press to simply embarrass the living daylights out of the people who
    run this website? If I pulled enough data to prove this could this get
    me into legal trouble?
    4. Final thought-- any suggestions beyond my questions are welcome
    except DOSing the site. I am a little upset with there behavior but not to
    the point of doing anything illegal myself or prompting others to do
    something illegal.
    </newbquestions>

    Any suggestions are welcome both on and off list.

    Sean

  • Next message: bugtraq_at_morph3us.org: "[BuHa-Security] Multiple vulnerabilities in (admincp/modcp of) vBulletin 3.0.8/9"