Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




67 posts

Master Geek
+1 received by user: 12


Topic # 242510 1-Nov-2018 09:37
One person supports this post
Send private message quote this post

In case anyone was wondering why their site is offline. 

 

https://www.reddit.com/r/newzealand/comments/9si4um/psa_computerloungeconz_has_security_issues/ 

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
360 posts

Ultimate Geek
+1 received by user: 18


  Reply # 2117726 1-Nov-2018 10:22
Send private message quote this post

LOL awesome response by CL, they were notified months ago.

 

 

We are aware of this particular shortfall in our security and our web developers are currently working on a fix.

 

We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website.

 

If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers.

 

Thank you for your understanding :)

 


6257 posts

Uber Geek
+1 received by user: 1944

Trusted

  Reply # 2117733 1-Nov-2018 10:36
One person supports this post
Send private message quote this post

plas:

 

LOL awesome response by CL, they were notified months ago.

 

 

We are aware of this particular shortfall in our security and our web developers are currently working on a fix.

 

We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website.

 

If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers.

 

Thank you for your understanding :)

 

 

 

 

 

So they have admitted to a fault and they are kindly asking for their exposed customer info to not be looked at and left alone.
Jeeze thats tempting. 





 


 
 
 
 


147 posts

Master Geek
+1 received by user: 42


  Reply # 2117777 1-Nov-2018 11:56
Send private message quote this post

I am a regular customer and have been complaining about their dog of a website for sometime. Now I am a little concerned.


3500 posts

Uber Geek
+1 received by user: 1966

Trusted
Lifetime subscriber

  Reply # 2117787 1-Nov-2018 12:21
5 people support this post
Send private message quote this post

If they'd responded quickly and dealt with this I wouldn't have an issue, but knowing about an issue like this for months and not taking action is just utterly unforgivable. 





Information wants to be free. The Net interprets censorship as damage and routes around it.


147 posts

Master Geek
+1 received by user: 40


  Reply # 2117822 1-Nov-2018 13:09
Send private message quote this post

Coil:

 

plas:

 

LOL awesome response by CL, they were notified months ago.

 

 

We are aware of this particular shortfall in our security and our web developers are currently working on a fix.

 

We have been speaking with BrianMcCarthyNZ (OP), and he has been informed that we are in the process of releasing a new site (which unfortunately has taken a bit longer than intended), that will certainly address the lack of security on the current website.

 

If you know how to find the vulnerability, we'd appreciate it if you would exercise restraint and not disclose any information that may assist in exploiting it, as it will help protect the data of our customers.

 

Thank you for your understanding :)

 

 

 

 

 

So they have admitted to a fault and they are kindly asking for their exposed customer info to not be looked at and left alone.
Jeeze thats tempting. 

 

 

tempting enough to warrant criminal charges? because accessing this information would easily be illegal under s252 of the crimes act, even if the bug is obvious.


3500 posts

Uber Geek
+1 received by user: 1966

Trusted
Lifetime subscriber

  Reply # 2117947 1-Nov-2018 15:17
Send private message quote this post

sorceror:

 

tempting enough to warrant criminal charges? because accessing this information would easily be illegal under s252 of the crimes act, even if the bug is obvious.

 

 

IANAL, but I think you're very wrong on that.

 

 

252Accessing computer system without authorisation

 

(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

 

(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

 

 

If you have a public website on the internet, you are authorising people to access content on it, and I'd strongly maintain that Section 252(2) then provides a complete defense when someone accesses content on that website that you didn't want or intend them to access. There was quite a lot of robust discussion of this a few years ago when Cameron Slater and Jason Ede discovered a vast wealth of confidential donation information sitting on one of Labour's public web servers in almost identical circumstances. The Greens laid a police complaint over it, and the police determined that no offence had been committed, which is about as close as we have to case law on the matter.





Information wants to be free. The Net interprets censorship as damage and routes around it.


147 posts

Master Geek
+1 received by user: 40


  Reply # 2117953 1-Nov-2018 15:39
Send private message quote this post

Lias:

 

sorceror:

 

tempting enough to warrant criminal charges? because accessing this information would easily be illegal under s252 of the crimes act, even if the bug is obvious.

 

 

IANAL, but I think you're very wrong on that.

 

 

252Accessing computer system without authorisation

 

(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

 

(2) To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

 

 

If you have a public website on the internet, you are authorising people to access content on it, and I'd strongly maintain that Section 252(2) then provides a complete defense when someone accesses content on that website that you didn't want or intend them to access. There was quite a lot of robust discussion of this a few years ago when Cameron Slater and Jason Ede discovered a vast wealth of confidential donation information sitting on one of Labour's public web servers in almost identical circumstances. The Greens laid a police complaint over it, and the police determined that no offence had been committed, which is about as close as we have to case law on the matter.

 

 

not even close to identical circumstances - there's a big difference between just accessing information that is sitting on a web server vs exploiting a vulnerability by injecting malicious content which then gives you information from a database (and the DB may even potentially sit on another server). there is a large amount of case law on this, it just doesn't make it into the media.


3500 posts

Uber Geek
+1 received by user: 1966

Trusted
Lifetime subscriber

  Reply # 2117962 1-Nov-2018 15:46
One person supports this post
Send private message quote this post

sorceror:

 

not even close to identical circumstances - there's a big difference between just accessing information that is sitting on a web server vs exploiting a vulnerability by injecting malicious content which then gives you information from a database (and the DB may even potentially sit on another server). there is a large amount of case law on this, it just doesn't make it into the media.

 

 

Are you sure he's using SQL injection? Do you have detailed knowledge of how he's scraping the data, because based on his comments on Reddit it doesn't sound like that to me?





Information wants to be free. The Net interprets censorship as damage and routes around it.


147 posts

Master Geek
+1 received by user: 40


  Reply # 2117980 1-Nov-2018 16:44
Send private message quote this post

no I don't know for certain - but I don't think it specifically has to be SQL injection, even if it was something like IDOR via a /user/<id number> URL, going through the IDs would still fall afoul of the act.

 

a hidden backup file you could possibly argue either way but this doesn't sound like that (because that could be fixed very quickly and easily).

 

the Labour party 'hack' was a webserver that just had the webroot exposed with directory listing and everything. so literally no exploits were required, you just click your way through. the directory structure was also indexed on google/multiple search engines. i very much doubt this was the case with CL (because again, that's fixed very easily).


3500 posts

Uber Geek
+1 received by user: 1966

Trusted
Lifetime subscriber

  Reply # 2117990 1-Nov-2018 17:25
One person supports this post
Send private message quote this post

sorceror:

 

no I don't know for certain - but I don't think it specifically has to be SQL injection, even if it was something like IDOR via a /user/<id number> URL, going through the IDs would still fall afoul of the act.

 

a hidden backup file you could possibly argue either way but this doesn't sound like that (because that could be fixed very quickly and easily).

 

the Labour party 'hack' was a webserver that just had the webroot exposed with directory listing and everything. so literally no exploits were required, you just click your way through. the directory structure was also indexed on google/multiple search engines. i very much doubt this was the case with CL (because again, that's fixed very easily).

 

 

We're probably not going to agree on what the act covers, but given that the guy who found the vulnerability appears to be acting in an ethical fashion, I'd like to think he wouldn't be charged. If the NZ courts are finding people guilty for discovering and responsibly reporting vulnerabilities in public websites, then something is seriously broken with the legislation in that regard.

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


147 posts

Master Geek
+1 received by user: 40


  Reply # 2117996 1-Nov-2018 17:35
Send private message quote this post

Lias:

 

sorceror:

 

no I don't know for certain - but I don't think it specifically has to be SQL injection, even if it was something like IDOR via a /user/<id number> URL, going through the IDs would still fall afoul of the act.

 

a hidden backup file you could possibly argue either way but this doesn't sound like that (because that could be fixed very quickly and easily).

 

the Labour party 'hack' was a webserver that just had the webroot exposed with directory listing and everything. so literally no exploits were required, you just click your way through. the directory structure was also indexed on google/multiple search engines. i very much doubt this was the case with CL (because again, that's fixed very easily).

 

 

We're probably not going to agree on what the act covers, but given that the guy who found the vulnerability appears to be acting in an ethical fashion, I'd like to think he wouldn't be charged. If the NZ courts are finding people guilty for discovering and responsibly reporting vulnerabilities in public websites, then something is seriously broken with the legislation in that regard.

 

 

 

 

 

 

i would like to think so too, but in some cases in the past NZ Police have treated it as a strict liability offense - ie intent means squat. it definitely is broken and outdated legislation.




67 posts

Master Geek
+1 received by user: 12


  Reply # 2118316 2-Nov-2018 09:55
Send private message quote this post

Still down this morning. And no PSA on their social media. 


Mr Snotty
8072 posts

Uber Geek
+1 received by user: 4049

Moderator
Trusted
Lifetime subscriber

  Reply # 2118328 2-Nov-2018 10:18
One person supports this post
Send private message quote this post

I really hope they've disabled the SQL service as their website is actually accessible from some links (see: http://www.computerlounge.co.nz/main/sitemap.asp) and could well be still exploitable.

 

But poor form for not notifying customers what the real story is. In cases like this a "Gray hat" dropping the users table would be the best outcome to ensure details are not actually stolen - see this thread on Reddit as an example of a case like this, specifically this:

 

Their database is now secure. Since the login form is vulnerable to SQL injection, someone dropped the OGIUser table, meaning that nobody can steal those passwords anymore.





147 posts

Master Geek
+1 received by user: 42


  Reply # 2118373 2-Nov-2018 10:38
4 people support this post
Send private message quote this post

They still havnt informed their online customers....extremely disappointing for a significant IT retailer.


75 posts

Master Geek
+1 received by user: 19


  Reply # 2118632 2-Nov-2018 15:57
Send private message quote this post

I emailed and asked for my account + details to be deleted. They politely replied stating they would do so, so hopefully they follow through.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.