Is it worth reporting to a retail website that their website spin to win competition has a huge security risk?

Forums › Off topic › Is it worth reporting to a retail website that their website spin to win competition has a huge security risk?

1 | 2 | 3

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3188613 30-Jan-2024 18:26

jnimmo:
turtleattacks:

jnimmo: In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.

Just picking this up again - what's a reasonable time to expect a reply in a timely matter?

Would 24 hours after initial email be enough until a contact is made with CERN's program?

Edit: Not the same company.

Sounds reasonable, it can be helpful having the notification coming from a trusted third party like CERT to get the message through!

Thanks team, the merchant has now patched the API. It was leaking some pretty sensitive PII info.

No response from them though after disclosing it to them in a very polite email.

This type of disclosures always baffles me. It's rare to get responses from the companies, not an acknowledgement, not a thank you email.

Feels like the tactic of "Do not negotiate with the kidnapper/ransom" is in playbook apart from the fact I wasn't asking for anything!

I'll probably email CERT tomorrow.

Edit: This probably isn't a nuclear issue concerning CERN. :)

----

Creator of whatsthesalary.com and whatstheincometax.com

Behodar

11099 posts

Uber Geek
+1 received by user: 6082

Trusted

Lifetime subscriber

#3188615 30-Jan-2024 18:28

turtleattacks:

I'll probably email CERN tomorrow.

CERT. Emailing the nuclear research place probably won't accomplish much :)

boosacnoodle

1274 posts

Uber Geek
+1 received by user: 858

#3188622 30-Jan-2024 18:49

turtleattacks: Would love to know the definition of hacking though. Would querying their APIs with a variation of IDs (in payload) be considered hacking?

There is no "hacking" clause. It all hinges on intent. Changing the ID with the intent to receive a higher discount may well be "Accessing computer system for dishonest purpose".

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#3188651 30-Jan-2024 21:26

boosacnoodle:

turtleattacks: Would love to know the definition of hacking though. Would querying their APIs with a variation of IDs (in payload) be considered hacking?

There is no "hacking" clause. It all hinges on intent. Changing the ID with the intent to receive a higher discount may well be "Accessing computer system for dishonest purpose".

There have been cases like that in some particularly luddite parts of the USA, I think it's substantially more unlikely in NZ.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#3188653 30-Jan-2024 21:33

turtleattacks: Just picking this up again - what's a reasonable time to expect a reply in a timely matter? ...

90 days

turtleattacks: Thanks team, the merchant has now patched the API. ...

IMO, API is patched, expect no further comms.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

1 | 2 | 3