Hi All,
I have a question of ethics here… I recently discovered a loophole on a big retailer website. Basically I am able to make orders without paying anything, I've confirmed it 100% works.
Unsure as how to act here… my obvious options are:
- Report the issue to the company
- Do nothing
- Take advantage of it
What are your thoughts on these sort of things? I'm torn.
PS: No, I won't disclose the name of the retailer or how it works.
This is less a question of ethics, and more a question of responsible disclosure. The main question is whether you feel that you need to disclose the vulnerability to the "target" organisation.
There are a range of very valid reasons as to why someone would choose not the disclose vulnerabilities to a vendor. The most compelling is, oftentimes a person from the general public may be accused of "unauthorised access/misuse of computer systems" as part of vulnerability identification when they let the vendor know.
If you are professionally a security researcher/penetration tester/{sys|network} admin etc, then the likelihood of something like the above happening when reporting vulnerabilities is almost non-existent. There are many reasons behind this, the most important being credibility and attribution.
However, if you are joe-public, I would urge you to be a lot more cautious. :) Especially if it is a relatively large organisation, and you have actually exploited the vulnerability (to test it ofcourse).
Some advice if this is indeed the case:
1. Be extremely polite in your initial email. Make sure all comms are conducted in a professional and courteous manner.
2. Use a burner email account.
3. Your initial contact should contain very little technical detail. Ask to be provided the email details of the relevant technical department.
4. In your subsequent emails, provide as much information as you can about the issue. Include screenshots etc, as well as steps to replicate it. Try not to include screenshots or information where it is clearly demonstrates that you have exploited the vulnerability (try not to self-incriminate :P )
5. At no point hint at (or worse, blatantly) ask for a reward/compensation for your time. This can be legally construed as blackmail/coercion etc. Don't shoot yourself. If the organisation is not bloody minded, you'll get something out of it.
I would be very careful with disclosing this with your friends and family. Also, would highly recommend not abusing the vulnerability, as you may be in a world of pain if discovered. Unfortunately, laws around the world are an absolute clusterf**k, and in a number of occasions, a ridiculously ham-fisted approach is taken to punishments (especially as there is a disproportionate assessment of "impact").
Full Disclosure:
I work in the "industry" and have done this previously. Most of the times, all you get is a warm "thank you", but sometimes I've gotten a license key or subscription as a gesture of gratitude. :)