- Joined
- Jul 24, 2010
- Messages
- 129
- Trophies
- 0
- Age
- 36
- Location
- Keansburg, NJ
- Website
- tempestdev.com
- XP
- 293
- Country
So I recently found MAJOR security flaws in Spruz.com allowing for MAJOR html injection. And not just defacement but the ability to completely DESTROY their users sites and redirect links and content.
I approached them and basically said I know it and I will give them all the details, for a price, the economy is shit and this is my living. They offered $250 on confirmation (in contract) of the exploit.
3 months later they are no where to be seen and my money is not here. So now what is the right thing to do? I could say whatever and walk away, being screwed, or point out the fact to all their premium members that there is a flaw that could lead to the theft of their site, information, investment and user's information or just plain defacement. I already opened a BBB complaint and have threatened to expose them and their flaws. As I should right? Why would people WANT to pay for such lack of security and a company that refuses to deal with it or pay those who offer the way to deal with it. Is it not my right and duty as an ethical hacker to announce this to all those people regardless of the repercussions on the company such as members leaving and the malicious use of the publicized information? I know normally this would be considered non-ethical but what is non-ethical in relation to a non-ethical company?
Well my personal opinion, being in regards to being screwed out of money I could really use, is LET THEM BURN. Your ideas?
UPDATE: Here is the link to the information, http://proofm3.webs.com
I approached them and basically said I know it and I will give them all the details, for a price, the economy is shit and this is my living. They offered $250 on confirmation (in contract) of the exploit.
3 months later they are no where to be seen and my money is not here. So now what is the right thing to do? I could say whatever and walk away, being screwed, or point out the fact to all their premium members that there is a flaw that could lead to the theft of their site, information, investment and user's information or just plain defacement. I already opened a BBB complaint and have threatened to expose them and their flaws. As I should right? Why would people WANT to pay for such lack of security and a company that refuses to deal with it or pay those who offer the way to deal with it. Is it not my right and duty as an ethical hacker to announce this to all those people regardless of the repercussions on the company such as members leaving and the malicious use of the publicized information? I know normally this would be considered non-ethical but what is non-ethical in relation to a non-ethical company?
Well my personal opinion, being in regards to being screwed out of money I could really use, is LET THEM BURN. Your ideas?
UPDATE: Here is the link to the information, http://proofm3.webs.com