Insecure websites

It really worries me when I stumble across an insecurity in a website. I don't go looking for them, but when I find one, I feel like I have a responsibility to do something about it. I don't mean tell the world about it - that would be bad for the company and more importantly for their unsuspecting customers, I mean to let them know.

In the case that I found today, I have used the "Contact Us" part of the site, and will call their head office myself tomorrow if I haven't heard a response. I really hope they take me seriously. I will offer to help them out to resolve their problems of course, I have no desire at all for them to be hacked.

Published Tue, Dec 26 2006 12:32 by Rob Farley
Filed under: , ,

Comments

Monday, June 18, 2007 3:11 PM by Ctrl_X

# re: Insecure websites

SELECT * FROM comments

Monday, June 18, 2007 3:12 PM by Ctrl_X

# re: Insecure websites

Cool :) no sql injection there :D

Sunday, August 17, 2008 5:54 AM by S.B

# Reporting insecure sites

Hi Rob,

If I contact websites saying that they are susceptible to SQl Injection attacks, will I be doing something illegal?

I mean, I could find that the sites are insecure by trying out some SQL Injection tricks so if I report it to the website, will I be considered a hacker?

Monday, August 18, 2008 4:17 AM by Rob Farley

# re: Insecure websites

SB,

I don't know - and I guess it depends on your local laws. I think if you don't do anything malicious, then that could be fine. Accessing confidential information is often considered illegal, which is why I only accessed metadata in the site I stumbled across.

Rob

Leave a Comment

(required) 
(required) 
(optional)
(required)