Gregory's Server@WPalant that's like saying it's breaking & entering if I give you a key to my house. I gave you the key, ergo you had permission to be there.
|
26 comments
@husjon @thisismissem @WPalant if you really want a metaphor, here's a more accurate one. there's a fulfillment center, and each customer is issued a delivery robot that will drive there and retrieve their deliveries. one customer followed the robot to see where it goes and saw that the door opens for any robot and stays open long enough for another person to enter, allowing access to everyone's deliveries. reported that to the company and got sued.
 @husjon @thisismissem @WPalant Yes, that's the better analysis. "Attractive nuisance" idea works well, too. If you make it too easy/tempting then it's your responsibility.  @thisismissem Difficult. If we spin this analogy further: you gave me your key for a specific purpose (e.g. pizza delivery while you were out), after which I returned it to you. You didn’t allow me to make a copy of this key and use it later to rearrange the furniture for example. Abusing hardcoded credentials can definitely constitute hacking and cause perfectly justified criminal charges. But intention and damage caused definitely need to go into the equation, not merely “circumvention of protection mechanisms.”  @WPalant in this case it just sounds like he used the key to open the front door, saw an absolute mess & notified the company of the issue @thisismissem @WPalant this seems to omit the other side of the story. If I understand this correctly, vendor software was making undocumented calls to outside infrastructure and sharing potentially sensitive data. It should be in company's right to check the level of exposure to properly protect their and their customers' rights. @RakowskiBartosz @thisismissem @WPalant Well, no. You can't demand the right to look into the internals of your partners - they have a right to privacy as well. You are instead "protected" by the law that requires the partner to protect your privacy interests, or by contracts. What that law is missing, however, is a way to universally verify that they do it correctly, e.g. by independent auditors. Which isn't often feasible, though. It's all a compromise, and it sucks.  Surely you forgot to add a sarcasm tag. The vendor is almost certainly out of GDPR compliance. @WPalant @thisismissem Intent and damages should absolutely matter. But it's also common sense not to use the hardcoded credentials to login and dump the database. Or if you do, why report that you did? Perfectly sufficient to just say you found the hardcoded credentials and stop there.. Bad practice on both sides. @tklengyel @thisismissem Where did you read that he dumped the database? My understanding is that he connected to the database in the assumption that it was specific to his client, then disconnected and reported the issue immediately after realizing that it contained data on other customers as well. @WPalant @thisismissem Just connecting to the db won't show you what data is in it to determine it's not just your data. So he must have dumped it or at the least queried it sufficiently deeply to make that call. @tklengyel @WPalant @thisismissem Just connect to it with a GUI tool like dbeaver (like devs are likely to do), it will show you the schema of tables. @tklengyel @WPalant @thisismissem Mixing customer data like that and giving full access to the database with the given user credentials is criminal neglect and should cost the company dearly. Not the person who figured it out. @Profpatsch @tklengyel @thisismissem According to https://nitter.net/der_sofc/status/1747644600469127386 he connected with phpMyAdmin. While I haven’t used that tool in decades, that would presumably also expose the database schema immediately. @tklengyel @WPalant @thisismissem I hate this thread. Also responsible disclosure is a thing and should be protected under law. Vendors doing something stupid than pressing charges is incompetence and should be audited by a gov agency. This thread and this case is why people don't bother reporting anything they find without malicious intent and just watch the company shoot themselves in the foot. @alex_02 @WPalant @thisismissem I agree, but the reality is that you are better off just ditching that vendor if they won't fix the issue. Then why not publish the issue anonymously? If you aren't going for a bug bounty what is there is to gain by attaching your name to it? @tklengyel @WPalant @thisismissem why does disclosing a security issue require to be a bug bounty or publishing it anonymously? Treating hackers and researchers like terrorists is just making things worse and why threats like ransomware gangs have such an easy walk in the park with breaking into networks. @tklengyel so your proposal is that when someone finds a severe security issue they should just stop using the service themselves then anonymously publish it publicly? I suppose that is one way of doing things “fuck every company that won’t pay me for finding an issue”. Though, overall, this would result in more vulnerabilities being exploited instead of fixed before they are exploited by bad actors @tklengyel @alex_02 @WPalant @thisismissem I'm trying to figure out if Tamas is just being disengenuous, or worse. If I were to find a bug in a product from your company (Intel?!), would y'all prefer that I @frainfostudent @alex_02 @WPalant @thisismissem I'm just saying that if a vendor has no defined security reporting policy and/or an active bug bounty don't be surprised if they will be a bad actor in other ways as well. It's a risk at that point, why take it?  Many judges in court don't know jack shit about programming, and "compiling" is the same as "encrypting" for them. As many analogies said: if you give someone the key to your house, whether it's wrapped in tons of cardboard and tape, they still have the key. The software provider must be condemned as a security flaw, endangering all users.  @thisismissem @WPalant I understand this case more like you put your key in front of your house, visible for everybody. And I'm just telling you that it is a security issue and you are suing me for that. @leonid @thisismissem Well, you did verify that it isn’t just any key but the one opening my door. It’s the fact that you opened the door which got you into court. In fact, even that analogy doesn’t really convey the situation – it’s not actually the key to my house but rather to the storage facility where I keep stuff of people who paid me. And that key puts their stuff at risk. @WPalant @thisismissem now I get it. The issue was that he accessed vendor's database. Even if he has the credentials, he is not allowed to use it. It's like if I found a post-it with password on your PC, I'm still not allowed to use it to login into your account.  @thisismissem @WPalant More like you put a lock on your door that has no tumbers because you didn't know this because it's a "secret"--and someone comes along and says, "Hey, those locks have no tumblers and can just be turned with a flathead," and that person is arrested and imprisoned. No actual entry is required and its been this way for almost 3 decades. Can also be used to imprison someone for the act of selling you a screwdriver or just telling you how to forge one. @thisismissem @WPalant It's more like someone found a key hidden in a very obvious place. Like, if you call the plumber because of a leak in your yard, he can't find it, so he let's himself in with a key under the mat and finds the problem in your house. He was doing the job you hired him to do, but you might be a little uncomfortable learning he's taken liberties with your locks in order to do so. Now, whether that discomfort means a crime has occurred is another matter. |
@thisismissem @WPalant you could also twist it a bit more and say you left your key under your door mat, not even explicitly giving them the key.