Any notion that a third party could threaten someone for communicating with me, or even the notion that someone should go through a third party I have given no gatekeeping-like permission to, is offensive to my basic dignity as a human being.
This would only makes sense if the vendor didn't care. But even then its a long uphill battle.
Any reasonable person would expect the vendor to take umbrage to being threatened with press coverage in front of his customers. Sam would have had the best chance getting the problem fixed by sending a separate e-mail to the vendor that did not include a presumption of bad faith.
Can someone describe the specific vulnerability in more detail? All the example URLs in the article yield an SQL syntax error, which definitely puts the site at high risk for such vulnerabilities. However, on the other hand, I saw no URLs that actually demonstrated successful injection.
For it to be an injection vulnerability, the server needs to execute the query (not fail with a syntax error).
Does anyone have a working example? Nothing malicious please. I tried several basic techniques and was unsuccessful, due to what appears to be escaping on double and single quote characters.
SQL Injections are the basis of escalating further and possibly even hacking into the whole underlying system.
I know for a fact that I can dump any of these databases within hours. I do not know what's in them, but I'm guessing it's not information that any of these 100.000 business owners will want to disclose of their clients.
I also know it's illegal, but then agian, will that bother any 13 year old kid that feels himself a 1337 h4xx0r? Any Russian delegation? I think not.
So No it is not just syntax error.
(It's obvious to me that the site is under high risk since user-provided strings show up in SQL validation errors, which includes the rest of a real query, but simple injections like using ' and " to break out did not work in my few minutes of trying, so I'm interested to learn what worked.)
Another issue is that security issues are often not visible to normal users. In the websmart example, a normal user looking for development services would have no idea that websmart has absolutely no clue how to do security. So, websmart gets the business, while the client gets a ticking time bomb, without even knowing it.
That, and most developers don't have any formal training in security concerns. I know I didn't when I first started - I had to pick it up as I went. It does not surprise me that these sorts of things keep coming up. Unless something changes - e.g. the majority of computer science degree programs include a course or two on security, I don't expect things to get drastically better.
That said, things like bug bounty programs help raise the visibility. And, at least many of the large tech companies do now respect security. We've at least improved in some ways as an industry.
Sam, you are truly a moron.
Yeah, I don't like Sam Bowne's approach. His initial email read as someone looking to make a name for himself (this is the biggest security flaw I've ever found! You have 6 days to respond!).
Despite this, if I had received an email like this I would have sent back a personal thank you followed with an outline of action steps. If I get another email from Sam asking more questions I'd reply as quickly as possible. Every transaction between him and I would be professional.
I'm reminded of a time when someone was convinced I was a hacker. It's a bit of a long story; I was tasked with creating a certification course for 2,000 employees. They all get emails telling them to log in and one guy saw the domain (companyname.columbo-companyname.com) and thought it was a Phishing scam. This employee then pulled up my company, does a WHOIS, called my cell phone a few times* and then promptly sent an email to the CTO (and about 6 other VPs) about a rogue hacker.
The whole thing turned into a massive cluster, suddenly I'm getting emails and phone-calls about a hacker in MY site (the CTO assumed I had been hacked and they had been hacked by proxy, nobody knew what was going on).
Took a few days to sort out and when they found out where it started the CTO sent me an apology to which I responded "Hey, it's no big deal, it's great you have an employee willing to raise alarm bells like this.".
Problem Solved.
There's nothing to gain from pissing matches or threats.
* I suspect he's the one that called me, got a strange call & text right before all this went down from a number I didn't recognize.
Six days to take down the websites and start bugfixing is a lot of time for this kind of vulnerability.
If I'm walking down a street and notice a broken door, do I have some obligation to track down the builder of the house and tell him about the issue?
To my mind, the good deed would be to inform the homeowner. At that point, I've done my part, and it's up to him to organise to fix his door if he wants to.
This dude went the extra mile even contacting the vendor.
I'm guessing the people on here all sympathise with the vendor because they can see themselves being in his shoes.
I could understand if he was making a business out of this, selling improved security. But this way it just looks like he's out to show people that he knows something they don't know and publicly shame them into some kind of response.
I noticed this in the initial response of websmart's owner that I've seen before in legal docs.
"I do not appreciate you taking the liberty of contacting my clients directly [...] you have no right or authority here. You could very well damage my business with this. If that happens you will be hearing from our lawyer."
This line in Sam's last email is especially dangerous (stating things he doesn't know and something which can be perceived as "soliciting for business"):
"This is a serious security defect. It is easy to fix, but Websmart has made it clear that they have no intention of fixing it. [...] If you have questions, or would like help fixing your website, feel free to contact me."
isn't very smart to say the least.
- Author sends a condescending, threatening, passive-aggressive, and shaming email to a vendor and its clients.
- Vendor respectfully explains that it was an unprofessional thing to do, because their client relationships were put at risk without them having a chance to correct their mistake.
- Author completely fails to understand why the vendor would think this, and interprets the email as an effort to "intimidate [him] into silence."
To be clear, I'm not excusing the vendor for their shoddy development work. I just think this professor is clueless about effective communication.
Now try and see it from the viewpoint of the poor sods who have the unfortunate fate of being this incompetent fools clients.
You found a vulnerability in lots of sites so you contacted the vendor who was responsible for it. Cool. They replied and said they would fix it.
Going around and e-mailing their customers is kinda odd. Sure it may result in you feeling great but in the end the customers probably don't have a clue. Better to be mature about it and contact the vendor (who actually responds!)
If they stop responding or tell you to peeter off, then it might be reasonable to do some type of disclosure. But not before you actually give them a chance to respond.
But, the notification didn't need to inform all of them at once in the same message - revealing multiple vulnerable customers to each other, ratcheting up the embarrassment for Websmart before even seeing their initial reply. And the one week deadline before pursuing "more drastic remedies, such as contacting news media" starts things in a confrontational, threatening manner.
If the aim was being helpful, a notice to Websmart first, and then to each other site individually, would have highlighted the problem without activating defensive egos. The messages to individual sites wouldn't even have to name Websmart, just an indication that "your vendor or host may be the party best able to fix". (The fact that not all the "…by Websmart" sites have the bug may indicate it's only a certain type or generation of their work that's problematic, or that a fix is relatively easy.)
So I see both sides unnecessarily escalating the righteous anger with their communication choices.
Secondly, publicly publishing the email addresses of the (innocent) victims, and emailing those clients with To instead of Bcc fields are both really inconsiderate moves.
So this is actually: "handful of sites have a sql injection vulnerability - owners & operators incapable of fixing". Hardly big news.
Instead, he's opened himself up for a flurry of negative attention not only from the public but from the unethical hacking community.
I can appreciate that it takes time and tact to deal with all the clients something he is hopefully doing but not even doing some basic work on your own corporate site is hard to understand.
There are also exploits in the Frontpage module his web server is running according to online databases.
Does this company have its own "cms" system? Is that why the error is so pervasive?
From what he says about his business under "About Us" the owner has a solid background of over 10 years in the broadcast industry as a radio personality.
My assumption is that he owns the business, and has owned it for a long time. He probably has very rudimentary html skills and can open his tool of choice DreamWeaver on a good day.
From what he says I think he outsources pretty much anything more than writing plain html. So he might be trying to deal with one or more contractors that he has hired for different sites. That probably makes it difficult for him to roll out any changes / patches in a timely manner. He is probably trying to get his / one of his contractors do it for free, since he has discovered its broken.
I think the appropriate action is for Owen Smart to take a step back. Take a deep breathe. Realize that he is in a shitstorm now since the story hit HN.
He needs to reach out to and reassure his clients. He might want some help from a PR person here to make sure he presents well. Make them see that he is competent and taking action.
Hire in a developer with a strong background in security to review the code base(s) for additional problems, and come up with an immediate mitigation plan, and work out a longer term plan to deal with the issues identified.
Make sure to follow up with the clients about target dates for fixing their sites.
He may also have to add a section on his corporate page, with some help from a PR person, and give his version of events in the best, least confrontational manner, and again say that he has the resources and the plan for addressing the issues that have been raised. Some BS about thanking the people who helped him find the issues. and reassuring future clients that this will no longer pose any problems.
Happiness all around.
We are currently working on upgrading our Portfolio of web
sites and special projects. Please check back again soon.