User Tag List

Thanks Thanks:  0
Likes Likes:  0

View Poll Results: What Would You Do?

Voters
19. You may not vote on this poll
  • E-mail the ISP and ask them to fix it

    15 78.95%
  • E-mail a national paper/news agent and make some money

    4 21.05%
  • Something else

    1 5.26%
Multiple Choice Poll.
Page 1 of 5 123 ... LastLast
Results 1 to 10 of 41

Thread: What would you do...

  1. #1
    Regular Member ukanalyst's Avatar
    Join Date
    Jul 2006
    Location
    Cheshire
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default What would you do...

    You find a security flaw with a Major ISP that allows you to log into ANYONE of their customers e-mail accounts to read/send e-mail but also allows you to view and change ALL of their personal account details including connection type, tel no, address, payment details etc etc.

    The flaw requires only the victims e-mail address to allow you access.

    Do you:

    a. e-mail the ISP and ask them to fix it
    b. e-mail a national paper/news agent and make some money
    c. something else

    I have gone for option A at the moment - providing evidence (a screen shot of their support mailbox ) and stated that they must call me within 24 hours so I can explain to them where the flaw is and how it works.

    I'm now thinking though that maybe I should have done something else and perhaps there was a bit of money to be had??

    What would you guys do (NB they still haven't come back to me after an hour so far!!)

    Dave

  2. #2
    Regular Member
    Join Date
    Jul 2005
    Location
    .
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default

    Blimey Dave - that's a big dilemma!!! Personally I like to think I am nice and honest and would admit what I could see, giving them a chance to fix it. Too much legal danger I believe in the (admittedly rather lucrative!) alternative!!!

    Too nice for my own good, me! Interesting though - nothing this exciting ever happens to me!!!!

  3. #3
    Regular Member RSV_Ecosse's Avatar
    Join Date
    Mar 2006
    Location
    Falkirk, Scotland
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default

    I'm thinking you did the right thing with option "A" m8.

    Well done.

    Maybe the ISP in question should take your services on-board as a beta tester.

  4. #4
    spoons
    Guest

    Default

    Hi Dave, Got your email and just logged in.

    It may be wise to let the ISP know that they have a 'potential' security flaw, that you have stumbled over or identified.

    But be cautious that you are able to explain how you found this security flaw without appearing to have 'hacked' their system.

    Suggesting or demanding money in exchange for information that will enable then to secure their systems, may also not be a good move.

    My advice, is to proceed with caution.
    Last edited by spoons; 15th December 2006 at 00:32.

  5. #5
    Regular Member
    Join Date
    Oct 2005
    Location
    The Blackburn End
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default

    Option A without a doubt. You have a clear consience and nothing to hide.

  6. #6
    Regular Member ukanalyst's Avatar
    Join Date
    Jul 2006
    Location
    Cheshire
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default

    Cheers guys ... I'm sure that my conciounce will be clearer this way

    What REALLY REALLY REALLY Annoys me though is they still haven't come back to me after nearly two hours now despite an e-mail from my address and another one from one of their test mailboxes!

    Quote Originally Posted by spoons View Post
    Hi Dave, Got your email and just logged in.
    Cheers Steve

    Quote Originally Posted by spoons View Post
    Hi Dave, Got your email and just logged in.
    It may be wise to the let the ISP know that they have a 'potential' security flaw, that you have stumbled over or identified.
    The e-mail I sent says ...

    Dear Support,

    I have discovered a CRITICAL Security Issue with your <ISP_NAME> WebMail platform that allows ANYONE access to ANYONE’s mail box WITHOUT knowing their password. Clearly this issue needs to be fixed IMMEDIATELY as it not only puts my mailbox at risk but also the mail boxes of every one of your customers along with any personal details they have sat in their e-mail.

    As this is such a sensitive issue I will not describe the method I used to do this by e-mail but instead I require that a SENIOR Support/Development engineer call me immediately on this number: <My_Mobile_Number>.

    To prove the issue exists I have attached to this e-mail a screenshot of the support@<ISP_NAME> mailbox and it’s contents.

    Clearly this is an embarrassing issue for <ISP_NAME> and it would not be great for your reputation if I were to release this information into the public domain, however if I do not hear from you within 24 hours I will have no choice but circulate the existence of this serious flaw in order that customers can protect themselves.

    Regards
    Quote Originally Posted by spoons View Post
    But be cautious that you are able to explain how you found this security flaw without appearing to have 'hacked' their system.
    That certainly isn't the case ... however I clearly needed to test that what I thought I had found was indeed correct with a couple of random e-mail addresses I found using google. That said I have of course not changed anything or caused any damage in doing this.

    Quote Originally Posted by spoons View Post
    Suggesting or demanding money in exchange for information that will enable then to secure their systems, may also not be a good move.
    I wasn't and wasn't planning on suggesting that ... I was merely thinking about a financial exchange with interested press parties but only after I had notified the ISP. However I might just suggest they may want to offer me a gesture of goodwill for my services in bringing this flaw to their attention saving them serious public embarrasment

    Quote Originally Posted by spoons View Post
    My advice, is to proceed with caution.


    Edit: I discovered that I could also access account details/payment details etc after I sent the initial e-mail so sent that info from one of their test accounts!

  7. #7
    Regular Member RSV_Ecosse's Avatar
    Join Date
    Mar 2006
    Location
    Falkirk, Scotland
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default

    Who voted for "Option B" then?.

  8. #8
    Regular Member ukanalyst's Avatar
    Join Date
    Jul 2006
    Location
    Cheshire
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default

    Quote Originally Posted by Mrs D View Post
    Interesting though - nothing this exciting ever happens to me!!!!
    Hee hee ... I have discovered some serious flaws with systems in the past but nothing as serious as this ... exciting stuff ... you will come and visit me in prison though wont you??

  9. #9
    Regular Member ukanalyst's Avatar
    Join Date
    Jul 2006
    Location
    Cheshire
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    StatsVehicle Info
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Default

    Right well still no call ... think I'd better head off to bed ... hope I don't get a call at 1am though I will probably call their cust svc no tomorrow and state that a technical Manager MUST call me back ASAP if I haven't heard from them by lunch time ... very poor I should have to do that though

    Dave

  10. #10
    spoons
    Guest

    Default

    Be cautious Dave, these businesses do not have a sense of humour and they may choose to twist the story that you have already compromised a couple of members email addresses already, by using this security flaw that you have discovered.

    You don't want to look or appear to be behaving like a hacker yourself.

    Well done on finding this though, hope you get the positive recognition that you deserve.

Page 1 of 5 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Visitors found this page by searching for:

Nobody landed on this page from a search engine, yet!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •