A few weeks ago I was looking into some online services and was checking out various offerings to see if they would meet my requirements. Of course each of these services requires you to create an account to be able to test them. Although I’m not crazy about this it’s a reality of doing things on the internet. If it’s something that I’m really not comfortable with then I will either pass on the service or use a throw away email account to do my testing with.

Before I go any further let me say that I am not a pen tester, vulnerability researcher or uber hacker by any means. I can and do some of the above when needed but for the most part I’m just a guy who believes strongly in doing my part to keep my little piece of the world secure. Unfortunately, the more places I go on the internet the bigger my piece of the world gets. If I’m going to use a internet based service, no matter what it is, then I expect it to meet a minimum level of various requirements and security is a big one. I also expect reasonable tech support services and a user interface that understandable and usable.

To vary slightly off path I want to say that I believe strongly that every insecure system, application and user out there hurts us all. It’s not just a “it’s my system and I can do what I want with it” world. When you disconnect from the internet and NEVER reconnect again then you can live your computing life that way. Until then you have a responsibility to keep your systems and applications secure and to practice “reasonable and secure” computing. If you don’t it affects way more than just you.

Back to my topic. So as I’m testing services I run across on that has an unusual “feature”. There are 2 “Continue” buttons at the bottom of the first page of the registration process. I’ve never seen this before and obviously am curios as to why. If you push one of the nothing happens (yes, I tested this in a secure environment) and if you press the other one you get different responses depending on whether or not you pushed the other one first.  So as I’m looking into what is going on I check the page source code to see what is going on and it appears that the “second” button is supposed to be hidden and is used for debugging. Someone just forgot to “hide” it after testing.

After I have completed my testing and have a pretty good understanding of exactly what happens under different circumstances I compose an email and send it to 2 different contacts that I was able to find for the site. Thus the reason for this post.

I sent 2 emails with the relevant information. I sent them copies of the error that was displayed, how to recreate the error and information as to why having an error of this type displayed is a hackers dream. To date I have not heard back from them and the site has not changed. It still has 2 “Continue” buttons. It still displays the error when you click the buttons in the right order. So since it’s been a while and nothing has happened I decided to write about it here. Not from the perspective of disclosing the site and hoping to “force their hand” but to talk about how to deal with such issues.

So how should you as a company deal with something such as this? At my last job shortly after I started we got an email from a “white hat” who said he had discovered a SQLi on our site. I did a little investigating myself and confirmed that we really did have a SQLi and so I got with my apps guys and got it fixed in a matter of minutes. I wanted to reach out to the guy who reported it and tell him thanks for the heads up and let him know that we appreciate him handling it this way and not a) exploiting it b) announcing it to the world. Since I was new in the position I decided to run it by my supervisor and he would not allow me to do so. He told me to ignore the guy and hope he left us alone. I wasn’t too keen on this but followed his directive and did not contact the guy. Was this the best course of action? I’m not 100% sure but I know that I didn’t like just leaving him hanging. What if it irritated him  and he came after us in other ways? What if he found other issues later and decided not to report them to us first since we ignored him? What were the implications of this? There are no hard and fast rules on something such as this. If someone says that they are a white hat and they are reporting a vulnerability or bug then chances are that they don’t care to be responded to but if they are a grey hat then this could be just the excuse they are looking for to justify their next step that is in the black hat realm.

Now, I’m not going to turn black hat on them and I really don’t care that they have not contacted me, but I do care that they have not fixed the problem. Because when others, who may be less amiable than me, find this they may have the skills and motivation to use this as an entry point into their network (yes they do have a “for pay” service that you pay for with your credit card) or to use it as a malware distribution point. Neither of which will benefit the company and both of which can hurt you and me.