This is a good question and it, by and large, has not been considered. In this particular instance, their programming is not protected by any kind of encryption laws that would prevent decryption (such as developing and deploying the decryption of Adobe Ebooks format). Furthermore, because you reported the flaw directly to the webmaster and did not publish it, there is no way that you caused any meaningful damage, nor were you acting maliciously. I have exposed XSS errors before on Google via my blog, even wrote a program for April Fools that let you use XSS to post fake articles to real news sites, and never got in trouble for it. You did not even announce the error to the community, so you should be completely safe. In real life terms, if you walked into the store and saw that the cash register was slightly broken and slightly opened, and reached in and pulled out a dollar to show the cashier what was wrong, you would not get in trouble. It may be bold, but it is not a crime. On 8/2/06, Peter Lauri <lists@xxxxxxxxxxx> wrote:
Hi all, I saw some strange error messages from a site when I was surfing it, and it was in form of SQL. I did some testing of the security of the SQL injection protection of that site, and it showed it was not that protected against SQL injections. To show this to them, I deleted my own record in their database after finding out the table name of the "entity" in the database. I also found out a lot of other that I think is important table names. What I did to them was to report this to them, and inform them about the damage I created, and what could have been done. (I did DELETE FROM tablename WHERE id=1234, what if I did DELETE FROM tablename, destruction if no backup). This is a large "athletic site" in Sweden, with more then 100,000 daily visitors. What I am a little bit worried about is the legal part of this; can I be accused of breaking some laws? I was just doing it to check if they were protected, and I informed them about my process etc. I only deleted my record, no one else's. In Sweden it might have been called "computer break-in", but I am not sure. Anyone with experience of a similar thing? Best regards, Peter Lauri
