15

A chap I'm bidding to do some development for has a social network he wrote himself. Not the next facebook by any stretch. But a few thousand local users.

I went to have a look at it to see what level of knowledge he had so I knew how to position myself for this potential job.

I tapped a single quote into the login box on the front page and up pops a SQL error. So I tried a simple " a' or 'a'='a " in each box and was immediately logged in as the administrator.

He had written a fairly comprehensive administration site by the looks of things. At the bottom of the page a "Download SQL Backup" button. This is where I stopped.

My question is this. What do I do?

As a developer myself I would appreciate the heads up. But as someone who's hopefully going to be paid to do some work for him I wouldn't want to throw all sorts of trust issues into the mix.

Any ideas?

bencoder
  • 329
  • 2
  • 5

6 Answers6

23

I'd tell him. If he gets mad about you informing him rather than abusing your new found knowledge, do you really want to work for him? You owe it to the users of the site as well...

Brimstedt
  • 421
  • 3
  • 4
20

It's important that you take Security Vulnerability Disclosure seriously. Improper disclosure may in some jurisdictions be a crime, and is certainly Not Cool. Good disclosure involves privately notifying the vendor and giving them a grace period in which they must provide a fix and a full disclosure (if customers have been impacted). After that grace period, you may then disclose.

Wiki says:

A responsible disclosure first alerts the affected vendors confidentially before alerting CERT two weeks later, which grants the vendors another 45 day grace period before publishing a security advisory.[27]

A full disclosure is done when all the details of vulnerability is publicized, perhaps with the intent to put pressure on the software or procedure authors to find a fix urgently.

That said, you have to tell him and quickly. The next person to discover the exploit (and this one is trivial, so that will happen quickly) might not be so responsible.

As far as trust issues go, explain to him exactly what you explained to us. Tell him that you haven't disclosed the vulnerability to anyone other than him. If I were him (and I have been in a situation where I wished the attacker had disclosed properly), that would make me trust you more. In fact, I would pay you for the information and for your responsible disclosure.

Community
  • 1
Rein Henrichs
  • 13,112
  • 42
  • 66
12

Yeah. I stumble upon security holes while browsing potential client work on occasion as well.

I think you absolutely need to make him aware, but I would not mention it in the context of evaluating the quality of his work.

8

No question I'd tell him.

I might frame it as you were just poking around doing some research on what's already there, gearing up to jump into the project as quick as possible (maybe mention some things that you think were done well, if nothing else, to stroke his ego).

Then drop the bomb, but immediately follow it be explaining that you are aware of these issues as they're fairly common and the first thing that you'd like to do is to have the opportunity to purge his system of these critical security risks.

Demian Brecht
  • 17,555
  • 1
  • 47
  • 81
1

Ask one of your friends to report it to him. That way, the users are protected, and the trust issues and other problems don't affect your potential employment.

blueberryfields
  • 13,200
  • 8
  • 51
  • 87
  • 2
    And most importantly it's *your friend* that gets investigated by the police for hacking, and not *you*. – Simon B Apr 09 '15 at 09:16
  • @SimonB if that's a worry, then substitute professional security news reporter, like, say http://krebsonsecurity.com/ – blueberryfields Apr 09 '15 at 13:46
1

You could always send a description of the vulnerability in an anonymous email. This allows them to fix it without any possible ramifications on you.

Morgan Herlocker
  • 12,722
  • 8
  • 47
  • 78