hypothetically speaking

Printable View

July 14th, 2003, 07:48 PM
bongpilot

hypothetically speaking

Hypothetically speaking here....

If i find that a website has a weak password protection to enter it ,can i make this known to the site owner.

Or,would that not be a good idea ?
July 14th, 2003, 07:53 PM
manicchester

Sure, I would think any constructive comment to the site owner would be appreciated. I would at least let it be known that you have no intention of breaking through that protection yourself, but just so that website is more secure. How weak is the password protection? Can you give any other details about the site? Hope it helps out...
July 14th, 2003, 07:54 PM
Maverick811

That's a sticky situation - on one hand, the site owner could be very grateful to you for reporting this hole in the security of the site - on the other hand, you could be accused of 'hacking' (term used loosely here), and may find yourself in trouble.

Personally, if I found the hole, I'd report it to the owner - I believe in security and the owner should know about the hole...

After all, if the hole was found by one person, it can most certainly be found by several more - while the first may not take advantage of the hole, the others might, which could be bad news for the site owner..
July 14th, 2003, 08:04 PM
Tiger Shark

I once had a situation where my web server was being horrendously attacked, (Code Red/Nimda), by a single server on the net. Just to see how bad it was I scanned it and found a terminal services port open. For a giggle I connected to it and found that the combination administrator/password actually worked. After a bit more digging I discovered that this company is a computer consulting company in Washington DC that boasts such customers as the IRS and ATF....... :rolleyes: I simply called their ISP and informed them of the problem. It seems to me that you give yourself a little protection that way and the "victim" company takes it as less of an insult if their own ISP calls them.......
July 14th, 2003, 08:07 PM
bongpilot

It`s a wesite that uses applet password wizard....iread that these sites are very weakly protected....joylock.class

a

i have no intensions of entering the site,just wanted to see if i could do what i read, and it took me a total of 10 minutes to decrypt the first password and there are 218 in the source.

coffeecup.com is junk and would advise not to use.
July 14th, 2003, 09:09 PM
Zetaphor

I would send the admin an anonymous email, explaining the weak ecryption. I would also mention that the email is only anonymous for your own protection. Try this site:

http://www.sendfakemail.com/
July 14th, 2003, 09:37 PM
cutty

That's a real tight situation but in the case of security it would be nice to let the site owner know IMO. The way you go about letting them know is what you need to take in consideration.

If you can get the info. to them and you will not get into trouble then go ahead and do that. I know I would be greatful if someone told me that my site was not all the secure but a lot of people don't react the way I do. So just becareful as to the way you relay the information.

Good luck in which ever way you decide to go and let us know the owner's response if you tell.

Guidance...
July 14th, 2003, 10:26 PM
Tedob1

theres no 'legal' way you can find out the strength of a password. you must in some way test its strength. so if you feel you should tell the admin make sure you do it anonymously because you never know when you're going to run accross an admin with his head up his ass
July 15th, 2003, 02:17 AM
bongpilot

Thanks for the insight in this matter.

I think i will just keep it to myself, this seems the wise thing to do.

/exit
July 15th, 2003, 02:34 AM
souleman

another idea is to contact the site and ask for permission...don't tell them that you have done anything yet. something along the lines of..... (remember social engineering 101)

Quote:

I am a computer science student at XXXXX university. I have been doing an emphasis in security. I recently read something reguarding the weakness of passwords used by the applet password wizard, and I noticed that your site was using it. I was wondering if I could test what I have read, and return the results to you.

Thank you for you time
XXXXXX

Doing something like that, IF they ever take the time to reply, they will probably tell you no... (although not always as long as you promise full disclosure) But you have informed them abou tthe weakness, and sometimes, they may even let you test it. You can't do any more then that. You haven't admitted to doing anything wrong, so they can't complain.
July 15th, 2003, 02:35 AM
keezel

Don't leave yet. I have a question for you: in this thread http://www.antionline.com/showthread...hreadid=246102 you wanted to know how to "post something anonymously". Do you want to know how to do this because you want to report a weakness in a website? If yes, then say it and we'll be able to help you a lot more.
July 15th, 2003, 02:58 AM
SoggyBottom

Tedob1 has given some good advise... Rule #1 in the real world is to cover your own arse!

Personally, I understand that your intentions are good, but the site administrators may not see it in that light.

And also, someone else may have discovered this weak password when you did and caused some damage, a coincidence I know, but nevertheless its definately possible. If you notify them, they may want to pursue you, even though you are the innocent party invloved... You just never know.

Proceed with caution!!
July 15th, 2003, 03:17 AM
r8devil

The best situation would be to let them know about the problem. But then u never know what kind of sysadmin is running it and they might take it the wrong way and go after you for it.

I guess for your own safety, the best would be to send an anonymous mail to them telling them abt the problem and let them decide what they want to do with the information. Also try to put your mail to them in a way that they do not take it the wrong way and get too defensive. Contacting their ISP migt be a good idea but then they might get the information from their ISP abt who contacted them and you might get into trouble.

With all the paranoia in businesses today, i think you have to be careful when letting people know about vulnerabilities in their systems. Cos the way to find vulnerabilities is to try to get into it or to scan it and this might be construed as trying to break in.

Just try to make sure you are anonymous when giving the info.
July 15th, 2003, 02:55 PM
nyx

I'm with all of what has been said here, if u do it, do it anonymously.

Just to say that this is really a damn world. We can't even help out anyone without that person being suspicious, or wanting your ass in jail...
Well, I wouldn't take it bad if someone warned me about security issues on my site, has from what I have read, nor do the generality of u guys.

I just don't get it.

well, just to get this of my chest....

The world would be a better place if everyone started helping and accepting help from others....
July 15th, 2003, 09:34 PM
RoadClosed

I haven't run across web sites with weak password schemes but I have run across some sites with unprotected directories wide open. I have always sent an anonymous email to let them know and not open myself up to much by making it easy for them to see who I am or was. Now if you were hacking at the password for a couple of days, I would keep quiet or make a decent effort to cover the tracks. Because those logs that show your activity could be used in a manner that is unfriendly to you. If you feel that strong about telling them and you don't want to get identified, send a letter to the technical contact listed on WHOIS. Just mail it from a large populated zip code. Alternatively you could try the site "bad link" form. Sometime these are forms that exist outside e-mail links.

In reality, I don't think anything would happen and certainly taking you to court over the issue wouldn't be cost effective to them. They would have to subpoena your ISP etc., but you never know eh? See mailing suggestion above.

P.S.

I agree with Nyx.