ADD Posted January 16, 2014 Posted January 16, 2014 Hi all, I've found a quite bad security leak exposing a bunch of customer data in an app created by a small startup. Its a really obvious hole. I simply made 2 accounts, and logged in with one, went to the edit page of my account containing my info (email etc.), then changed the ID in the get request to the other account's ID. Its scary how easy this was. I never looked at other customers data. The get url's just seemed so insecure that I had to try if this would work. Anyway, I really want to make the issue clear to the company so they can fix it. However, I'm worried they might nog take this so well. I'm affraid they will take more notice to the, 'I can view all your customers data' part of my story than the 'and I'm here to help' part. Of course I could leave a nice note in their contanct form without an email address and hope they don't keep any access logs (wouldn't be supprising at this point). But that just doesn't seem right. Does anyone have any advice on how to go about this? Any experiences in this area maybe? Should I be worried at all about legal troubles? Thanks! Quote
mreidiv Posted January 16, 2014 Posted January 16, 2014 Look at this thread https://forums.hak5.org/index.php?/topic/31130-how-to-tell-someone-that-their-site-is-vulnerable-to-sql-injection/ Quote
ADD Posted January 17, 2014 Author Posted January 17, 2014 Tanks a lot! Didn't come across that thread yet. Has a lot of good advice. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.