Hypothetically speaking here....
If i find that a website has a weak password protection to enter it ,can i make this known to the site owner.
Or,would that not be a good idea ?
Printable View
Hypothetically speaking here....
If i find that a website has a weak password protection to enter it ,can i make this known to the site owner.
Or,would that not be a good idea ?
Sure, I would think any constructive comment to the site owner would be appreciated. I would at least let it be known that you have no intention of breaking through that protection yourself, but just so that website is more secure. How weak is the password protection? Can you give any other details about the site? Hope it helps out...
That's a sticky situation - on one hand, the site owner could be very grateful to you for reporting this hole in the security of the site - on the other hand, you could be accused of 'hacking' (term used loosely here), and may find yourself in trouble.
Personally, if I found the hole, I'd report it to the owner - I believe in security and the owner should know about the hole...
After all, if the hole was found by one person, it can most certainly be found by several more - while the first may not take advantage of the hole, the others might, which could be bad news for the site owner..
I once had a situation where my web server was being horrendously attacked, (Code Red/Nimda), by a single server on the net. Just to see how bad it was I scanned it and found a terminal services port open. For a giggle I connected to it and found that the combination administrator/password actually worked. After a bit more digging I discovered that this company is a computer consulting company in Washington DC that boasts such customers as the IRS and ATF....... :rolleyes: I simply called their ISP and informed them of the problem. It seems to me that you give yourself a little protection that way and the "victim" company takes it as less of an insult if their own ISP calls them.......
It`s a wesite that uses applet password wizard....iread that these sites are very weakly protected....joylock.class
a
i have no intensions of entering the site,just wanted to see if i could do what i read, and it took me a total of 10 minutes to decrypt the first password and there are 218 in the source.
coffeecup.com is junk and would advise not to use.
I would send the admin an anonymous email, explaining the weak ecryption. I would also mention that the email is only anonymous for your own protection. Try this site:
http://www.sendfakemail.com/
That's a real tight situation but in the case of security it would be nice to let the site owner know IMO. The way you go about letting them know is what you need to take in consideration.
If you can get the info. to them and you will not get into trouble then go ahead and do that. I know I would be greatful if someone told me that my site was not all the secure but a lot of people don't react the way I do. So just becareful as to the way you relay the information.
Good luck in which ever way you decide to go and let us know the owner's response if you tell.
Guidance...
theres no 'legal' way you can find out the strength of a password. you must in some way test its strength. so if you feel you should tell the admin make sure you do it anonymously because you never know when you're going to run accross an admin with his head up his ass
Thanks for the insight in this matter.
I think i will just keep it to myself, this seems the wise thing to do.
/exit
another idea is to contact the site and ask for permission...don't tell them that you have done anything yet. something along the lines of..... (remember social engineering 101)
Doing something like that, IF they ever take the time to reply, they will probably tell you no... (although not always as long as you promise full disclosure) But you have informed them abou tthe weakness, and sometimes, they may even let you test it. You can't do any more then that. You haven't admitted to doing anything wrong, so they can't complain.Quote:
I am a computer science student at XXXXX university. I have been doing an emphasis in security. I recently read something reguarding the weakness of passwords used by the applet password wizard, and I noticed that your site was using it. I was wondering if I could test what I have read, and return the results to you.
Thank you for you time
XXXXXX