It really worries me when I stumble across an insecurity in a website. I don’t go looking for them, but when I find one, I feel like I have a responsibility to do something about it. I don’t mean tell the world about it – that would be bad for the company and more importantly for their unsuspecting customers, I mean to let them know.
In the case that I found today, I have used the “Contact Us” part of the site, and will call their head office myself tomorrow if I haven’t heard a response. I really hope they take me seriously. I will offer to help them out to resolve their problems of course, I have no desire at all for them to be hacked.
This Post Has 4 Comments
SELECT * FROM comments
Cool 🙂 no sql injection there 😀
Hi Rob,
If I contact websites saying that they are susceptible to SQl Injection attacks, will I be doing something illegal?
I mean, I could find that the sites are insecure by trying out some SQL Injection tricks so if I report it to the website, will I be considered a hacker?
SB,
I don’t know – and I guess it depends on your local laws. I think if you don’t do anything malicious, then that could be fine. Accessing confidential information is often considered illegal, which is why I only accessed metadata in the site I stumbled across.
Rob