Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Reporting obvious exploits to website owners, how should I go about this?

  1. Home
  2. Forum
  3. Hacking in general
  4. Reporting obvious exploits to website owners, how should I go about this?

ghost's Avatar

ghost

0 0

I was doing a project for school(college) when I came across a website somewhat related to what I was doing. After poking around for a bit and seeing what they were selling on the website(older software downloads) I started poking around in the HTML to see what made the site tick. Upon looking at the code I was absolutely shocked. This is the site's code to verify that you've paid for things.

<script language="javascript">
<!--
function check(item){
var returnVal = false
if (item.id.value > 0) {
returnVal=true;
return returnVal;
}
else {
alert("Invalid input" )
//alert("expression" + " " + (item.id.value))
item.id.focus();
item.id.select();
returnVal=false;
return returnVal;
}
}

//-->
</script>```

Javascript. I swear to god this is from an actual website run by actual people. And they used Javascript as a security measure to keep you from stealing their stuff.

I, being the curious type that I am, wanted see if that was really all the security the page had. So I saved the page to my computer, changed the returnVal = false to returnVal = true, ran the page, and voilà I have access to the downloads that you're supposed to pay for. What I want to do is message the website administrator and let him/her know how easy it is to access the things they're charging money for.

My question is though, how should I go about doing this? I don't want them to start asking all these questions like "What were you doing poking around our website like this?!?!" I've done nothing wrong I haven't used this to get anything they charge money for, but I'm also afraid they'll say I was nosing into things that are none of my business and say I'm trying to steal from them or some stupid crap like that. I don't know, any suggestions would be most appreciated. 

Oh, and by the way, I make no claims to be "LEET." I'm not trying to sound cool here, I just want to know a pleasant way to go about this. Believe me...if I found this, their website is really in need of help.

*UPDATE* 

I take all of it back. I'd somehow looked at the scripting for two pages at once, and combined the two codes in my head. I thought the javascript code below passed the ID number into another function to test if it was a real number or not(proper ID # that is). No. That IS the authentication. If the value is greater than 0 then it returns true. I was wondering why I couldn't find the other function again....

Now I don't know if I want to help the admin, or laugh at him/her.

ghost's Avatar

ghost

0 0

It's hard to tell. Either you get an cool admin who will work with you to help fix the exploits, or fix it themselves and say thanks, or you'll get the really assholey ones who threaten you, even though you're trying to help them. Basically, seeing as you got into the downloads section, tell the admin. But, you need to say that you didn't exploit the security, but it was just a concern. Give them how they can do it and say something like, "I would try it myself, but i don't want to get in trouble." Otherwise, by exploiting it, they can ensue legal ramifications. Even though, from their obvious computer illiteracy, they probably wouldn't do such a thing.

On a personal note, i wouldn't tell them anything. If they don't know what you're doing, by telling them about this exploit, they might freak out and get really scared and that won't turn out good for you.


ghost's Avatar

ghost

0 0

What type of things can you download?


ghost's Avatar

ghost

0 0

Ponguile wrote: What type of things can you download?

Really old psychology programs. Really old.

So I emailed the admin. The only way they had to contact them was through a email page(more badly written java). I didn't feel comfortable listing the problems unless I had some kind of personal contact with the admin(ie I wanted to know he was going to listen). So I said, "Hi, my name is Gary. I'd like to talk to you about some problems with your website. If you could email me at Jz2383@gmail.com I'd really appreciate your time. Thank you"

That was the day after I posted this message(not sure which day that was) but he/she has yet to contact me. So if he cares he'll email me I suppose. The page also might just be dead. It's obviously an old page, but there's the text at the bottom "copyright 2007, page update Dec 2006" Though that copyright notice may be the only thing updated on the page. Regardless though, now it's in the hands of the admin to contact me if he's concerned about this.