LOL awesome response by CL, they were notified months ago.

 

We are aware of this particular shortfall in our security and our web developers are currently working on a fix.

 

We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website.

 

If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers.

 

Thank you for your understanding :)

 

plas:

 

LOL awesome response by CL, they were notified months ago.

 

 

We are aware of this particular shortfall in our security and our web developers are currently working on a fix.

 

We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website.

 

If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers.

 

Thank you for your understanding :)

 

 

So they have admitted to a fault and they are kindly asking for their exposed customer info to not be looked at and left alone.
Jeeze thats tempting. 

I am a regular customer and have been complaining about their dog of a website for sometime. Now I am a little concerned.

If they'd responded quickly and dealt with this I wouldn't have an issue, but knowing about an issue like this for months and not taking action is just utterly unforgivable. 

Coil:

 

plas:

 

LOL awesome response by CL, they were notified months ago.

 

 

We are aware of this particular shortfall in our security and our web developers are currently working on a fix.

 

We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website.

 

If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers.

 

Thank you for your understanding :)

 

 

 

 

 

So they have admitted to a fault and they are kindly asking for their exposed customer info to not be looked at and left alone.
Jeeze thats tempting. 

 

tempting enough to warrant criminal charges? because accessing this information would easily be illegal under s252 of the crimes act, even if the bug is obvious.

sorceror:

 

tempting enough to warrant criminal charges? because accessing this information would easily be illegal under s252 of the crimes act, even if the bug is obvious.

 

IANAL, but I think you're very wrong on that.

 

252Accessing computer system without authorisation

 

(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

 

(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

 

If you have a public website on the internet, you are authorising people to access content on it, and I'd strongly maintain that Section 252(2) then provides a complete defense when someone accesses content on that website that you didn't want or intend them to access. There was quite a lot of robust discussion of this a few years ago when Cameron Slater and Jason Ede discovered a vast wealth of confidential donation information sitting on one of Labour's public web servers in almost identical circumstances. The Greens laid a police complaint over it, and the police determined that no offence had been committed, which is about as close as we have to case law on the matter.

Lias:

 

sorceror:

 

tempting enough to warrant criminal charges? because accessing this information would easily be illegal under s252 of the crimes act, even if the bug is obvious.

 

 

IANAL, but I think you're very wrong on that.

 

 

252Accessing computer system without authorisation

 

(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

 

(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

 

 

If you have a public website on the internet, you are authorising people to access content on it, and I'd strongly maintain that Section 252(2) then provides a complete defense when someone accesses content on that website that you didn't want or intend them to access. There was quite a lot of robust discussion of this a few years ago when Cameron Slater and Jason Ede discovered a vast wealth of confidential donation information sitting on one of Labour's public web servers in almost identical circumstances. The Greens laid a police complaint over it, and the police determined that no offence had been committed, which is about as close as we have to case law on the matter.

 

not even close to identical circumstances - there's a big difference between just accessing information that is sitting on a web server vs exploiting a vulnerability by injecting malicious content which then gives you information from a database (and the DB may even potentially sit on another server). there is a large amount of case law on this, it just doesn't make it into the media.

sorceror:

 

not even close to identical circumstances - there's a big difference between just accessing information that is sitting on a web server vs exploiting a vulnerability by injecting malicious content which then gives you information from a database (and the DB may even potentially sit on another server). there is a large amount of case law on this, it just doesn't make it into the media.

 

Are you sure he's using SQL injection? Do you have detailed knowledge of how he's scraping the data, because based on his comments on Reddit it doesn't sound like that to me?

no I don't know for certain - but I don't think it specifically has to be SQL injection, even if it was something like IDOR via a /user/<id number> URL, going through the IDs would still fall afoul of the act.

a hidden backup file you could possibly argue either way but this doesn't sound like that (because that could be fixed very quickly and easily).

the Labour party 'hack' was a webserver that just had the webroot exposed with directory listing and everything. so literally no exploits were required, you just click your way through. the directory structure was also indexed on google/multiple search engines. i very much doubt this was the case with CL (because again, that's fixed very easily).

sorceror:

 

no I don't know for certain - but I don't think it specifically has to be SQL injection, even if it was something like IDOR via a /user/<id number> URL, going through the IDs would still fall afoul of the act.

 

a hidden backup file you could possibly argue either way but this doesn't sound like that (because that could be fixed very quickly and easily).

 

the Labour party 'hack' was a webserver that just had the webroot exposed with directory listing and everything. so literally no exploits were required, you just click your way through. the directory structure was also indexed on google/multiple search engines. i very much doubt this was the case with CL (because again, that's fixed very easily).

 

We're probably not going to agree on what the act covers, but given that the guy who found the vulnerability appears to be acting in an ethical fashion, I'd like to think he wouldn't be charged. If the NZ courts are finding people guilty for discovering and responsibly reporting vulnerabilities in public websites, then something is seriously broken with the legislation in that regard.

Lias:

 

sorceror:

 

no I don't know for certain - but I don't think it specifically has to be SQL injection, even if it was something like IDOR via a /user/<id number> URL, going through the IDs would still fall afoul of the act.

 

a hidden backup file you could possibly argue either way but this doesn't sound like that (because that could be fixed very quickly and easily).

 

the Labour party 'hack' was a webserver that just had the webroot exposed with directory listing and everything. so literally no exploits were required, you just click your way through. the directory structure was also indexed on google/multiple search engines. i very much doubt this was the case with CL (because again, that's fixed very easily).

 

 

We're probably not going to agree on what the act covers, but given that the guy who found the vulnerability appears to be acting in an ethical fashion, I'd like to think he wouldn't be charged. If the NZ courts are finding people guilty for discovering and responsibly reporting vulnerabilities in public websites, then something is seriously broken with the legislation in that regard.

 

 

 

i would like to think so too, but in some cases in the past NZ Police have treated it as a strict liability offense - ie intent means squat. it definitely is broken and outdated legislation.

Still down this morning. And no PSA on their social media. 

I really hope they've disabled the SQL service as their website is actually accessible from some links (see: http://www.computerlounge.co.nz/main/sitemap.asp) and could well be still exploitable.

But poor form for not notifying customers what the real story is. In cases like this a "Gray hat" dropping the users table would be the best outcome to ensure details are not actually stolen - see this thread on Reddit as an example of a case like this, specifically this:

Their database is now secure. Since the login form is vulnerable to SQL injection, someone dropped the OGIUser table, meaning that nobody can steal those passwords anymore.

They still havnt informed their online customers....extremely disappointing for a significant IT retailer.

I emailed and asked for my account + details to be deleted. They politely replied stating they would do so, so hopefully they follow through.