First of all I want to say hello to the few people that I meet at
Toorcon 2005. For my first security conference you guys helped make it
magical. Also greets go out to the guys from the San Fernando Linux users
group. You guys are great and I'll have to make it your way one of these
days.
The real reason of this post is to ask about how to handle
"responsible reporting" of a bug. I have found what I believe to be an
information disclosure vulnerability on a website. The website is an online
dating website (yes I realize this is a little pathetic, don't ask.). I
have been able to read any message sent to any user in the website by simply
modifying the HTTP GET request for a message ex.
"www.somesite.com/mymessages/displaymsg.cfm?mid=XXXXXX" where XXXXXX is the
message id to pull. This apparent attack requires that you are logged into
the site before you can pull messages.
The only hitch is that the site seems to be sending messages to its
own users to generate revenue. I have been able to walk up and down through
several hundred messages that are timed stamped within a few minutes of each
other and have the exact same message text. The only difference between the
messages is the sending person. I do find messages that are completely
different but they are generally at different times. I believe that what
this site is doing could or should be considered fraud (and yes I did
personally fall for this, again don't ask).
<newbquestions>
1. If I report this problem what kind of legal ramifications should I
look at?
2. Who would I report this sites possibly illegal activities to? I
believe what they are doing could fall under fraud but I really have no
idea if current law would cover this?
3. Finally, what would be some possible avenues for reporting this to
the press to simply embarrass the living daylights out of the people who
run this website? If I pulled enough data to prove this could this get
me into legal trouble?
4. Final thought-- any suggestions beyond my questions are welcome
except DOSing the site. I am a little upset with there behavior but not to
the point of doing anything illegal myself or prompting others to do
something illegal.
</newbquestions>
Any suggestions are welcome both on and off list.
Sean
