What would you do...

[ukanalyst]

You find a security flaw with a Major ISP that allows you to log into ANYONE of their customers e-mail accounts to read/send e-mail but also allows you to view and change ALL of their personal account details including connection type, tel no, address, payment details etc etc.

The flaw requires only the victims e-mail address to allow you access.

Do you:

a. e-mail the ISP and ask them to fix it
b. e-mail a national paper/news agent and make some money
c. something else

I have gone for option A at the moment - providing evidence (a screen shot of their support mailbox ) and stated that they must call me within 24 hours so I can explain to them where the flaw is and how it works.

I'm now thinking though that maybe I should have done something else and perhaps there was a bit of money to be had??

What would you guys do (NB they still haven't come back to me after an hour so far!!)

Dave

[Mrs D]

Blimey Dave - that's a big dilemma!!! Personally I like to think I am nice and honest and would admit what I could see, giving them a chance to fix it. Too much legal danger I believe in the (admittedly rather lucrative!) alternative!!!

Too nice for my own good, me! Interesting though - nothing this exciting ever happens to me!!!!

[RSV_Ecosse]

I'm thinking you did the right thing with option "A" m8.

Well done.

Maybe the ISP in question should take your services on-board as a beta tester.

[spoons]

Hi Dave, Got your email and just logged in.

It may be wise to let the ISP know that they have a 'potential' security flaw, that you have stumbled over or identified.

But be cautious that you are able to explain how you found this security flaw without appearing to have 'hacked' their system.

Suggesting or demanding money in exchange for information that will enable then to secure their systems, may also not be a good move.

My advice, is to proceed with caution.

[SCOTTEX]

Option A without a doubt. You have a clear consience and nothing to hide.

[ukanalyst]

Cheers guys ... I'm sure that my conciounce will be clearer this way

What REALLY REALLY REALLY Annoys me though is they still haven't come back to me after nearly two hours now despite an e-mail from my address and another one from one of their test mailboxes!

Hi Dave, Got your email and just logged in.

Cheers Steve

Hi Dave, Got your email and just logged in.
It may be wise to the let the ISP know that they have a 'potential' security flaw, that you have stumbled over or identified.

The e-mail I sent says ...

Dear Support,

I have discovered a CRITICAL Security Issue with your <ISP_NAME> WebMail platform that allows ANYONE access to ANYONE’s mail box WITHOUT knowing their password. Clearly this issue needs to be fixed IMMEDIATELY as it not only puts my mailbox at risk but also the mail boxes of every one of your customers along with any personal details they have sat in their e-mail.

As this is such a sensitive issue I will not describe the method I used to do this by e-mail but instead I require that a SENIOR Support/Development engineer call me immediately on this number: <My_Mobile_Number>.

To prove the issue exists I have attached to this e-mail a screenshot of the support@<ISP_NAME> mailbox and it’s contents.

Clearly this is an embarrassing issue for <ISP_NAME> and it would not be great for your reputation if I were to release this information into the public domain, however if I do not hear from you within 24 hours I will have no choice but circulate the existence of this serious flaw in order that customers can protect themselves.

Regards

But be cautious that you are able to explain how you found this security flaw without appearing to have 'hacked' their system.

That certainly isn't the case ... however I clearly needed to test that what I thought I had found was indeed correct with a couple of random e-mail addresses I found using google. That said I have of course not changed anything or caused any damage in doing this.

Suggesting or demanding money in exchange for information that will enable then to secure their systems, may also not be a good move.

I wasn't and wasn't planning on suggesting that ... I was merely thinking about a financial exchange with interested press parties but only after I had notified the ISP. However I might just suggest they may want to offer me a gesture of goodwill for my services in bringing this flaw to their attention saving them serious public embarrasment

My advice, is to proceed with caution.

Edit: I discovered that I could also access account details/payment details etc after I sent the initial e-mail so sent that info from one of their test accounts!

[RSV_Ecosse]

Who voted for "Option B" then?.

[ukanalyst]

Interesting though - nothing this exciting ever happens to me!!!!

Hee hee ... I have discovered some serious flaws with systems in the past but nothing as serious as this ... exciting stuff ... you will come and visit me in prison though wont you??

[ukanalyst]

Right well still no call ... think I'd better head off to bed ... hope I don't get a call at 1am though I will probably call their cust svc no tomorrow and state that a technical Manager MUST call me back ASAP if I haven't heard from them by lunch time ... very poor I should have to do that though

Dave

[spoons]

Be cautious Dave, these businesses do not have a sense of humour and they may choose to twist the story that you have already compromised a couple of members email addresses already, by using this security flaw that you have discovered.

You don't want to look or appear to be behaving like a hacker yourself.

Well done on finding this though, hope you get the positive recognition that you deserve.