This is all fine and dandy but I actually find the approach taken by the professor in the first email to be quite unfriendly and perhaps even unprofessional. The guy from Websmart is actually right, there was no need to immediately contact his customers directly. You let the vendor handle the delicate subject with their customers and then take action directly (with a public disclosure) only if the vendor ignores you.
Customers don't actually belong to anyone, you know. None of the vendors I have purchased products or services from have my permission to act as gatekeeper for communication with me, and as such have absolutely no right to act in that capacity. If I learned that a vendor had threatened someone for contacting me, that vendor would never receive another dime from me, and I would investigate whether I had any legal cause of action against that vendor.
Any notion that a third party could threaten someone for communicating with me, or even the notion that someone should go through a third party I have given no gatekeeping-like permission to, is offensive to my basic dignity as a human being.
This is best for the vendor, but not best for the customers. Vendors should have a healthy fear that if they don't provide substantial security they will be exposed for their lack of quality. Now, I hope I'm not soliciting a 'test' of my work by saying this...
To a certain degree, I do agree. If websmart can't do this right, I imagine there are many other security vulnerabilities plaguing client sites. I will say that, as a client, I would want to know this.
Technically the vendor responding is the only practical course of action. The customers are not likely going to abandon the software or patch it themselves.
This would only makes sense if the vendor didn't care. But even then its a long uphill battle.
I think that the issue of customer contact is a red-herring. What caused the issue was not that Sam contacted the customers, but that he cc'ed his threatening e-mail to the vendor to the vendor's customers.
Any reasonable person would expect the vendor to take umbrage to being threatened with press coverage in front of his customers. Sam would have had the best chance getting the problem fixed by sending a separate e-mail to the vendor that did not include a presumption of bad faith.
You found a vulnerability in lots of sites so you contacted the vendor who was responsible for it. Cool. They replied and said they would fix it.
Going around and e-mailing their customers is kinda odd. Sure it may result in you feeling great but in the end the customers probably don't have a clue. Better to be mature about it and contact the vendor (who actually responds!)
If they stop responding or tell you to peeter off, then it might be reasonable to do some type of disclosure. But not before you actually give them a chance to respond.
Wow. Just wow. I used to manage client accounts at an agency. Here's how I'm seeing this:
- Author sends a condescending, threatening, passive-aggressive, and shaming email to a vendor and its clients.
- Vendor respectfully explains that it was an unprofessional thing to do, because their client relationships were put at risk without them having a chance to correct their mistake.
- Author completely fails to understand why the vendor would think this, and interprets the email as an effort to "intimidate [him] into silence."
To be clear, I'm not excusing the vendor for their shoddy development work. I just think this professor is clueless about effective communication.
My personal advice to all small-business-owners: Don't get into pissing matches!
Yeah, I don't like Sam Bowne's approach. His initial email read as someone looking to make a name for himself (this is the biggest security flaw I've ever found! You have 6 days to respond!).
Despite this, if I had received an email like this I would have sent back a personal thank you followed with an outline of action steps. If I get another email from Sam asking more questions I'd reply as quickly as possible. Every transaction between him and I would be professional.
I'm reminded of a time when someone was convinced I was a hacker. It's a bit of a long story; I was tasked with creating a certification course for 2,000 employees. They all get emails telling them to log in and one guy saw the domain (companyname.columbo-companyname.com) and thought it was a Phishing scam. This employee then pulled up my company, does a WHOIS, called my cell phone a few times* and then promptly sent an email to the CTO (and about 6 other VPs) about a rogue hacker.
The whole thing turned into a massive cluster, suddenly I'm getting emails and phone-calls about a hacker in MY site (the CTO assumed I had been hacked and they had been hacked by proxy, nobody knew what was going on).
Took a few days to sort out and when they found out where it started the CTO sent me an apology to which I responded "Hey, it's no big deal, it's great you have an employee willing to raise alarm bells like this.".
Problem Solved.
There's nothing to gain from pissing matches or threats.
* I suspect he's the one that called me, got a strange call & text right before all this went down from a number I didn't recognize.
It is quite possible the clients do not have access to the source code. They may further have no competence in coding nor even in obtaining competent assistance in coding.
Imagine if the local news outlet did a "consumer watchdog" piece on a contractor going around installing windows or doors in homes and businesses with locks that can be easily opened without a key. Then imagine the contractor acknowledged the issue but threatened to sue the news outlet for hurting their business.
Now imagine that the local news outlet displayed a list of addresses of the homes than can be easily opened without a key. That's closer to what happened here. The disclosure was irresponsible. He could have contacted each site owner individually with information limited to their site. Instead, he sent a mass email to total strangers, putting some of them at risk, then blogged about it. That's stupid and inconsiderate.
And now, realizing the danger they are in, they fix the door or harass their vendor into doing it. Finally, thanks to the efforts of one good samaritan, they're safe.
Who each have to go through the contractor to get them fixed resulting in a bottleneck. Thieves are already running rampant at the disclosure while the contractor is frantically fixing the windows.
An unfortunate series of events, but the poor homeowners are glad it happened, because now they see their contractor for the careless, incompetent fool that he is.
They vow never again to put their families at risk by letting him near their house.
I appreciate that the guy's attitude is just awful, but the author really should have given him a chance to respond/react before contacting his clients. Doing so doesn't preclude notifying them eventually. It's just common courtesy.
I think he's doing the site owners a favor by contacting the person who could actually do something about it in addition to the owner. Ordinarily, he'd probably only contact the site owner. In this case, he saw that the builder of the site was consistent across multiple sites and chose to additionally contact the builder and not just the owner.
If I'm walking down a street and notice a broken door, do I have some obligation to track down the builder of the house and tell him about the issue?
To my mind, the good deed would be to inform the homeowner. At that point, I've done my part, and it's up to him to organise to fix his door if he wants to.
This dude went the extra mile even contacting the vendor.
I'm guessing the people on here all sympathise with the vendor because they can see themselves being in his shoes.
It's reasonable to contact the affected sites, as well as Websmart. The sites might be able to fix themselves, depending on their level of technical involvement, and (despite the "Web Site by Websmart Inc." line) it's reasonable for an outsider to simply consider the vendor/contractor/hoster as an internal implementation detail, and the brand-at-risk as the principal.
But, the notification didn't need to inform all of them at once in the same message - revealing multiple vulnerable customers to each other, ratcheting up the embarrassment for Websmart before even seeing their initial reply. And the one week deadline before pursuing "more drastic remedies, such as contacting news media" starts things in a confrontational, threatening manner.
If the aim was being helpful, a notice to Websmart first, and then to each other site individually, would have highlighted the problem without activating defensive egos. The messages to individual sites wouldn't even have to name Websmart, just an indication that "your vendor or host may be the party best able to fix". (The fact that not all the "…by Websmart" sites have the bug may indicate it's only a certain type or generation of their work that's problematic, or that a fix is relatively easy.)
So I see both sides unnecessarily escalating the righteous anger with their communication choices.
Nice one including the XSS injection flaw posted to inj3ct0rs within your own page there. Did your forget to sanitize your own HTML?
Secondly, publicly publishing the email addresses of the (innocent) victims, and emailing those clients with To instead of Bcc fields are both really inconsiderate moves.
Its sad that this is 2013 and these basic fucking issues still plague websites (and the people who make them). I wonder if the root of these issues is in education or the tools used? Or both?
It seems to be a combination of both a lack of knowledge with respect to security and often a lack of respect. With many smaller companies, it is often ignorance. With many others, it is still too often the case that security concerns end up getting thrown in the "yeah, we should fix that eventually" pile of bugs.
Another issue is that security issues are often not visible to normal users. In the websmart example, a normal user looking for development services would have no idea that websmart has absolutely no clue how to do security. So, websmart gets the business, while the client gets a ticking time bomb, without even knowing it.
That, and most developers don't have any formal training in security concerns. I know I didn't when I first started - I had to pick it up as I went. It does not surprise me that these sorts of things keep coming up. Unless something changes - e.g. the majority of computer science degree programs include a course or two on security, I don't expect things to get drastically better.
That said, things like bug bounty programs help raise the visibility. And, at least many of the large tech companies do now respect security. We've at least improved in some ways as an industry.
> With many smaller companies, it is often ignorance.
I think that's an unfair statement about smaller companies. Just two months ago a SQL vulnerability was discovered on the website of NASDAQ.
I think the solution is to use frameworks that promote safe behaviour and have idioms for dealing with common cases. Make someone go out of their way to do the dangerous thing.
Can someone describe the specific vulnerability in more detail? All the example URLs in the article yield an SQL syntax error, which definitely puts the site at high risk for such vulnerabilities. However, on the other hand, I saw no URLs that actually demonstrated successful injection.
For it to be an injection vulnerability, the server needs to execute the query (not fail with a syntax error).
Does anyone have a working example? Nothing malicious please. I tried several basic techniques and was unsuccessful, due to what appears to be escaping on double and single quote characters.
Please goto http://sqlmap.org . Watch the video. And weep. If you have really simple sql exception like this, you can craft queries that will dump the entire database including it's schema and users byte-by-byte with an automated script.
SQL Injections are the basis of escalating further and possibly even hacking into the whole underlying system.
I know for a fact that I can dump any of these databases within hours. I do not know what's in them, but I'm guessing it's not information that any of these 100.000 business owners will want to disclose of their clients.
I also know it's illegal, but then agian, will that bother any 13 year old kid that feels himself a 1337 h4xx0r? Any Russian delegation? I think not.
After an hour of playing around (nothing malicious) yes it is vulnerable, a lot of sites use the same DB structure (which is because they were made by the same people) and passwords are stored in plain text.
Would you mind sharing an example query string that injects and passes validation? I'd be interested to see what technique enables it to be valid.
(It's obvious to me that the site is under high risk since user-provided strings show up in SQL validation errors, which includes the rest of a real query, but simple injections like using ' and " to break out did not work in my few minutes of trying, so I'm interested to learn what worked.)
One problem is that the SQL error messages are being displayed. That is really bad, since being able to read the error messages can be used to systematically find vulnerable queries.
I'm picking up that Sam may be a little off. Or at least his reading skills are really questionable. The developer clearly stated that he would look into it, which is what you say when you first get word of something serious that needs to be looked into. And he was appreciative, emphatically so, about being informed. And annoyed about his customers being informed as well, but that annoyance is very understandable, even though he may have deserved some annoyance by his apparent lapse in coding rigor.
Surprise, many websites are not secure. Does he go around testing people's door locks to see how vulnerable they are to being picked with a basic lock pick set? Maybe knock on some doors and tell the home owners that their home contractor doesn't take security seriously enough and demonstrate how easily the standard door lock can be picked?
I could understand if he was making a business out of this, selling improved security. But this way it just looks like he's out to show people that he knows something they don't know and publicly shame them into some kind of response.
Or maybe he could, you know, be trying to teach his students about security so they don't do shit like this in the future? "My students and I have been notifying administrators of vulnerable websites for several years now"
Teaching about security by looking for some basic low hanging fruit? Perhaps. But what he's also teaching is how to blame and shame, and needlessly tread into murky legal territory.
He seems to be confused by the difference between pages and sites - 100,000 pages is not 100,000 sites. And the search in question only finds 274 pages anyway.
So this is actually: "handful of sites have a sql injection vulnerability - owners & operators incapable of fixing". Hardly big news.
Sam is in dangerous territory here. IANAL, but I think he may be close to being accused of Tortious Interference[1]
I noticed this in the initial response of websmart's owner that I've seen before in legal docs.
"I do not appreciate you taking the liberty of contacting my clients directly [...] you have no right or authority here. You could very well damage my business with this. If that happens you will be hearing from our lawyer."
This line in Sam's last email is especially dangerous (stating things he doesn't know and something which can be perceived as "soliciting for business"):
"This is a serious security defect. It is easy to fix, but Websmart has made it clear that they have no intention of fixing it. [...] If you have questions, or would like help fixing your website, feel free to contact me."
If the law doesn't matter, then don't bring it up. Under your logic, you can replace "tortious interference" with "turnip testicles" and this discussion is equally meaningful.
Unlike a complaint naming turnip testicles, one that says tortious interference is less likely to get kicked by the judge in four seconds. Skating ->this<- close to the legal edge is definitely something worth bringing up.
Here's the thing, a lot of times people just don't care. I've sent emails to Amtrak, USPS, SallieMae and many others about bugs on their sites. Most of the time I just get canned responses saying they'll look into it or reply with something totally irrelevant. Sure it probably would have been the courteous thing to do by sending the webmaster an email first individually, but if you were the client, wouldn't you want to know about this vulnerability? Wouldn't you want to know your database has been compromised?
There are several dead links and sql injection vulnerabilities on the company's website.
I can appreciate that it takes time and tact to deal with all the clients something he is hopefully doing but not even doing some basic work on your own corporate site is hard to understand.
There are also exploits in the Frontpage module his web server is running according to online databases.
Does this company have its own "cms" system? Is that why the error is so pervasive?
From what he says about his business under "About Us" the owner has a solid background of over 10 years in the broadcast industry as a radio personality.
My assumption is that he owns the business, and has owned it for a long time. He probably has very rudimentary html skills and can open his tool of choice DreamWeaver on a good day.
From what he says I think he outsources pretty much anything more than writing plain html. So he might be trying to deal with one or more contractors that he has hired for different sites. That probably makes it difficult for him to roll out any changes / patches in a timely manner. He is probably trying to get his / one of his contractors do it for free, since he has discovered its broken.
I think the appropriate action is for Owen Smart to take a step back. Take a deep breathe. Realize that he is in a shitstorm now since the story hit HN.
He needs to reach out to and reassure his clients. He might want some help from a PR
person here to make sure he presents well. Make them see that he is competent and taking action.
Hire in a developer with a strong background in security to review the code base(s) for additional problems, and come up with an immediate mitigation plan, and work out a longer term plan to deal with the issues identified.
Make sure to follow up with the clients about target dates for fixing their sites.
He may also have to add a section on his corporate page, with some help from a PR person,
and give his version of events in the best, least confrontational manner, and again
say that he has the resources and the plan for addressing the issues that have been raised.
Some BS about thanking the people who helped him find the issues. and reassuring future clients that this will no longer pose any problems.
This professor is an ass. I would be livid if someone sent me those emails and created a press release. I think this is definitely grounds for legal action. The professor has severely misinterpreted the situation.
Are you sure he was notified in those previous incidents? Sure, that's really poor behavior of the company, but you don't know if he was even aware. Sam should have responsibly disclosed the information assuming that it was not already known - his actions were indeed unprofessional and could've been approached differently - if there was still no action taken, then that's a whole other story.
Maybe he was, maybe he wasn't, only he knows. But when you're running 100000 websites, you should Google yourself once in a while at least. Besides, this isn't some 0-day, it's some extremely basic SQL injection vulnerability. This company wasn't capable of doing extremely basic security, and should be out of business. This is the kind of company that stores your passwords in plaintext. He doesn't seem to have done anything since he was notified either (see Phil's comment)
Oh, I'm definitely not disagreeing that the company was irresponsible in their coding practices and having found the previously released notices on their own - they are certainly at fault for that negligence - and if they have indeed been notified before, then they are even worse of a company; but I still think the Sam didn't approach the disclosure properly, but that's just an opinion.
Yes, the company has had plenty of time to fix this amateurish error on their own, especially since it has been reported/detailed on exploit sites in the past.
I find Websmart's attempt at trying to put this man out of a job absolutely disgusting. No doubt, Sam Bowne will think twice before reporting vulnerabilities next time. Even though I'm not in any way related to this incident, I've send Sam a thank you note because I think the web community needs more people like him. If you want to do the same, his e-mails are in the link, but for ease of access: sam(dot)bowne at gmail, sbowne at ccsf(dot)edu .
Did they really try to put him out of work? I could not read any such thing in the vendor's emails. Perhaps the vendor just wanted to complain to the researcher's manager so he might receive additional training or so protocols could be set up for handling such issues?
