undefined | Better HN

0 pointsams611011y ago0 comments

1) Be careful, people who submit proof-of-concept exploits to websites have been arrested for circumventing digital security measures.

2) It's HIGHLY unlikely that you are the first person to discover this, especially if it's a top 100 site. Those sites are constantly probed by attackers looking for exploits precicely because they are so valuable. Something like XSS due to unsanitized input would he found quickly as there are automated tools that do exactly that. Just report it to CERT, as suggested.

3) You may have hit a honeypot.

0 comments

3 comments · 2 top-level

shangxiao11y ago· 1 in thread

A couple of years ago in Australia a security consultant noticed that firststatesuper.com.au had a gaping security hole in that he could manually change an ID in the URL and gain access to other users' account information.

He kindly notified First State like any good samaritan, and so what do First State do in return? Disable his account, report the "offence" to the police, demand that their IT dept examine his computer, demanded that he sign a letter to admit liability and threaten to pursue any costs related to the matter.

Luckily the Police had more common sense, realised what had actually happened and decided not to take any action.

Reference: http://www.theage.com.au/technology/security/super-bad-first...

joshschreuder11y ago

The same thing happened this year with a teenager who found a SQL injection in the Victorian public transport website: http://www.pcworld.idg.com.au/article/549362/australian_teen...

He disclosed to the organisation who then set the police onto him. Luckily he got off with a warning from police, but that's after having equipment seized etc.

patcheudor11y ago

I'll add to this. Be careful in the future. You stated that you are an amateur at this and aren't entirely sure on what to do. That's the quickest way to set yourself up for some long term hurt.

The problem is, when you start poking at server-side flaws as opposed to ones that might exist in applications you run client side like mobile apps, you are entering some very dangerous territory as you are engaged in what is generally considered to be hacking someone else's infrastructure. In the last few years a lot of people in the security community have been probing sites for XSS, SQLi and many other server side vulnerabilities but they are doing so at fairly high risk and as such many use multiple techniques to remain anonymous. All it takes is someone on the receiving end to decide to call the FBI and it doesn't matter how good your intentions were, your life is most likely going to change. I've seen this happen first hand to people I know. One guy I know reported an XSS flaw, offered to help fix it, and was accused of extortion as the receiving company figured his offer to "fix it" came at some cost. Luckily they backed down & he only lost about a weeks worth of pay after being suspended while an investigation took place.

j / k navigate · click thread line to collapse