Is it worth reporting to a retail website that their website spin to win competition has a huge security risk?

Forums › Off topic › Is it worth reporting to a retail website that their website spin to win competition has a huge security risk?

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#310570 2-Nov-2023 11:26

Hi team,

I was just having a poke and noticed that there is a huge security risk on their site where the user can extract all the emails, first names and last names from the competition site.

Is it worth telling them? Would this be considered PII?

----

Creator of whatsthesalary.com and whatstheincometax.com

1 | 2 | 3

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3154823 2-Nov-2023 11:40

I have removed the company name and screenshots.

You should report this to the company - not make it public where others can follow your steps and retrieve that information.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3154824 2-Nov-2023 11:41

freitasm:

I have removed the company name and screenshots.

You should report this to the company - not make it public where others can follow your steps and retrieve that information.

Sorry about that. I've also removed it from my gallery.

----

Creator of whatsthesalary.com and whatstheincometax.com

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3154825 2-Nov-2023 11:43

You should contact the company first with a sensible deadline for resolution. If there is no resolution of this issue then you could report to the Privacy Commission.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3154826 2-Nov-2023 11:44

freitasm:

You should contact the company first with a sensible deadline for resolution. If there is no resolution of this issue then you could report to the Privacy Commission.

Yeah, I'm contacting them now.

----

Creator of whatsthesalary.com and whatstheincometax.com

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3154836 2-Nov-2023 11:57

I did verify this. Will raise it also.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3154837 2-Nov-2023 11:59

michaelmurfy:

I did verify this. Will raise it also.

Can I ask what's the consensus on poking at websites? I am pretty interested in how API and competition works hence I had a poke in the background.

Is it frowned up even if we contact them properly?

Sorry about posting it earlier, I should have contact them first and not post the method.

----

Creator of whatsthesalary.com and whatstheincometax.com

Lego

Shop now for Lego sets and other gifts (affiliate link).

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3154840 2-Nov-2023 12:14

@turtleattacks Poking around is fine (I do the same), reporting vulnerabilities via responsible disclosure is even better but as soon as you're poking around to find a vulnerability to exploit / harvest data etc then it gets pretty bad. Basically common sense comes into it. If you notice something bad and don't report it then if somebody else does and a security team goes through logs to find you were mass scraping they'll see it as you've exploited and potentially harvested and basically see you as a bad guy and likely take things further.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3154841 2-Nov-2023 12:14

I think it will depend on the company. In the US some companies but their heads and instead of fixing things take the reporting person to court shouting "HACKER!"

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3154843 2-Nov-2023 12:23

Also I've just had a look at their JS file containing the mechanisms of the prize draw, pretty sure it can by manipulated and values injected to generate a higher discount code.

----

Creator of whatsthesalary.com and whatstheincometax.com

cddt

1965 posts

Uber Geek
+1 received by user: 1904

#3154856 2-Nov-2023 13:20

turtleattacks:

Can I ask what's the consensus on poking at websites? I am pretty interested in how API and competition works hence I had a poke in the background.

Is it frowned up even if we contact them properly?

Some companies will appreciate it, some will not. There have been cases in the USA where someone using an API to scrape data has been convicted of a crime and imprisoned, when the data they scraped was not meant to be public, but was public. E.g. https://arstechnica.com/tech-policy/2013/03/auernheimer-aka-weev-sentenced-to-41-months-for-attipad-hack/ the guy seems like an arsehole from a personality point of view, but in terms of what he did it is similar to what many of us do in trying to understand how systems work.

Not aware of any local cases but would err on the side of caution when poking.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3154862 2-Nov-2023 14:09

So I got an email back thanking me for bringing this to their attention and can confirm it is now patched - I ended up finding an IT email for the parent group. Well done @turtleattacks (I don't take credit here).

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3154863 2-Nov-2023 14:12

Thanks @michaelmurfy. Can confirm that it's been promptly patched.

Well done for releasing a fix to the API so quickly.

----

Creator of whatsthesalary.com and whatstheincometax.com

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#3154868 2-Nov-2023 14:30

turtleattacks:

Can I ask what's the consensus on poking at websites? I am pretty interested in how API and competition works hence I had a poke in the background.

Is it frowned up even if we contact them properly?

Sorry about posting it earlier, I should have contact them first and not post the method.

White hat hacking (i.e., with authorisation) is fine. Black hat hacking is very illegal. Grey hat hacking is also illegal, but very much turns on "authorisation" (e.g., would a bug bounty amount to implied authorisation?).

Disclaimer: Not Legal Advice

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3154869 2-Nov-2023 14:32

mdf:

turtleattacks:

Can I ask what's the consensus on poking at websites? I am pretty interested in how API and competition works hence I had a poke in the background.

Is it frowned up even if we contact them properly?

Sorry about posting it earlier, I should have contact them first and not post the method.

White hat hacking (i.e., with authorisation) is fine. Black hat hacking is very illegal. Grey hat hacking is also illegal, but very much turns on "authorisation" (e.g., would a bug bounty amount to implied authorisation?).

Disclaimer: Not Legal Advice

Would love to know the definition of hacking though. Would querying their APIs with a variation of IDs (in payload) be considered hacking?

----

Creator of whatsthesalary.com and whatstheincometax.com

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#3154870 2-Nov-2023 14:38

"Accessing" a "computer system" in certain circumstances = hacking. "Accessing" and "computer system" are defined very broadly.

1 | 2 | 3