Gaming Ethical Hacking When Companies Aren't Ethical?

[Xeology]

So I recently found MAJOR security flaws in Spruz.com allowing for MAJOR html injection. And not just defacement but the ability to completely DESTROY their users sites and redirect links and content.

I approached them and basically said I know it and I will give them all the details, for a price, the economy is shit and this is my living. They offered $250 on confirmation (in contract) of the exploit.

3 months later they are no where to be seen and my money is not here. So now what is the right thing to do? I could say whatever and walk away, being screwed, or point out the fact to all their premium members that there is a flaw that could lead to the theft of their site, information, investment and user's information or just plain defacement. I already opened a BBB complaint and have threatened to expose them and their flaws. As I should right? Why would people WANT to pay for such lack of security and a company that refuses to deal with it or pay those who offer the way to deal with it. Is it not my right and duty as an ethical hacker to announce this to all those people regardless of the repercussions on the company such as members leaving and the malicious use of the publicized information? I know normally this would be considered non-ethical but what is non-ethical in relation to a non-ethical company?

Well my personal opinion, being in regards to being screwed out of money I could really use, is LET THEM BURN. Your ideas?

UPDATE: Here is the link to the information, http://proofm3.webs.com

 

[twiztidsinz]

If I'm not mistaken what you did, by telling them you would inform them of an exploit in exchange for money then threatened them with the information, was essentially blackmail.... so there goes the whole 'ethics' part.

 

[Nathan Drake]

If I'm not mistaken what you did, by telling them you would inform them of an exploit in exchange for money then threatened them with the information, was essentially blackmail.... so there goes the whole 'ethics' part.

He found an exploit and offered to give them the information about it for cash. It was more a "if I found it, the somebody else could too" type thing over using it against them. If they weren't willing to pay them, he could have easily just have done nothing about it and left it as it was. As they offered payment for the information, they are obligated, especially if by contract, to pay for the information they were given for the better security of their site.

 

[Xeology]

If I'm not mistaken what you did, by telling them you would inform them of an exploit in exchange for money then threatened them with the information, was essentially blackmail.... so there goes the whole 'ethics' part.

No I informed them I would give it to them in exchange for compensation, which is legal. They agreed, took the information and refused to pay, under contract, which is ILLEGAL. Then I told them I would inform all their customers publicly about their flaws and how they affect them and their investment through a complain through the BBB, which I believe to be fair practices for those who could be interwebz raped by hackers with a bad agenda.


Hmm, I techinically am black mailing them, but maybe they would like to not receive a paycheck that puts food on the table (you wouldn't not pay a pizza guy right?) lolololol. The thing is, and the point of this besides me wanting to just talk, is at what lengths should hackers go to inform users, and screw companies that screw them.

 

[Originality]

Be under the I assumption that all companies are out to screw them. They only care about money, not about service. 9 times out of 10, this assumption is right.

 

[FAST6191]

If I'm not mistaken what you did, by telling them you would inform them of an exploit in exchange for money then threatened them with the information, was essentially blackmail.... so there goes the whole 'ethics' part.

In principle some can look at it that way but in practice this is an accepted method of doing things, indeed $250 for an exploit as huge as Xeology claims is actually very much on the low side.


Back on topic I am afraid I have not been in your situation and rarely even go in for the drive by/unsolicited pen test stuff and especially not against web stuff.

Basically you already said you have no funds to play with so it is CYA mode in case they fire a frivolous lawsuit your way (I am guessing this is the typical angel and VC financed company- those people will try to bury you and if they were not already lawyers will have one on retainer if not in house).

Step 1 would be contact them again mentioning the contract (if you can do a tracked email (something like make a logo for yourself to justify and one of the hidden pixel images or something to confirm receipt although I have no idea why I am telling you this sort of thing) and imposing a time limit for correspondence- a week should be enough). It might just be the case that they held back for this financial year.

Repeat that at the end of the time limit if you want.

After this (or perhaps you might want to skip it if you contract is good enough to hold you- 3 months aka 90 days is about the limit for any payment) it gets more fun. Whether you want to tack on a "late payment fee" is up to you and how good you feel about your initial contract.

Do not most of the bug posting sites and forums for them as well as web hosting/site generation in general have lists of people that do not play nicely with others (if not then make one- every other service has such a list)?
I assume this was implementation rather than say an error in their server side scripting program (assuming such a thing is stock of course) which changes things a bit in as much as I have no idea where to go for this sort of thing- I am not a web hacker and even then it is a bit different from the application and hardware stuff I usually play with although that changes again as they appear to offer a "application" service by way of building you a site to then host as it were (granted they appear to want to lock you in up to "enterprises- please contact us" level).

Equally if they have fixed it (might be a worth a quick check to make sure they actually fixed it and not just patched your example attack) consider doing a complete writeup of what you have (might be tricky are you are in essence most likely republishing source code*) and any email correspondence/IM correspondence as well as the contract if you like (your call as to what sees the censors pen) and then posting it to wherever that will accept it (assuming you do not want direct payment for the story loads of places will accept it) and if you are so inclined it might even make a half decent con talk (so rarely do we have a good "trash a site" talk these days). Reputation is important for these people as is growth and this sort of thing if you post it up does threaten it so that should get them to act in a hurry (your call as to whether you accept a we will pay you what we owe and a token fee for taking the posts down- I imagine they will try it on though).

*be extremely careful here- you are not anonymising it, from error in web code to ready to go exploit is in many ways even easier than a lot of the binary stuff (thinking ease of say a basic SQL attack vs having to mess around with assembly), if part of what you used was social engineering state that explicitly, if you have a customer email database avoid using it (especially do not "spam" their members saying what goes) unless maybe you have a hash or some other obfuscation applied to it- enough to tell, not enough to be useful sort of thing.

Good luck and if you are allowed keep us informed.

 

[Xeology]

Yeah I am going to post back an email, believe it or not the BBB turned it down, most likely bcause it is a legit case against a legit company. It's not the great USA if the big guys arent screwing the little guys and getting away with it right?

Yeah I am writing up a full technical documentation of it as well as using my own spruz account I just made to further test my exploit to see exactly how far this rabbit hole will take me into their servers.

They pull the last string, and if they do it will open up a door to hell because I will most definitely have a full easily implemented exploit to not only dump ALL server end source for public viewing into a downloadable medium but also dump all server end variables so people have info on EVERYTHING. Think it is about time people start standing up and saying FU** YOU CORPORATE LEGAL FAVORITISM.

As a side not for discussion. All these companies talk about their "intellectual property" and how pirating is "bad". But this work and exploit is MY intellectual property and neither does the government legal system nor the companies give a rats ass even that they would be stealing my work. So in my opinion, start screwing the big guys. Have a console or pc (games)? GOOD, hack it and pirate the hell out of it and make these assholes whine like a little pig when they see their sales drop because in the end all these companies are all the same and you cant have ethics with un-ethical providers.

/rantdone

 

[Dangy]

VIVA LA REVOLUTION.

 

[Xeology]

UPDATE: I can overflow their variables they store the hidden fields in on form submit. It DOES NOT cut off whats beyond a reasonable size causing the server to proccess them storing me sending 100000^100000000 9s into a variable. This has successfully DoS'ed their site for a couple of seconds. If I dedicated a solid minute to spamming the submit button (since it doesnt refresh the page) it would put the site under for a LOOOOOOOOOONG time.

 

[twiztidsinz]

Yeah I am going to post back an email, believe it or not the BBB turned it down, most likely bcause it is a legit case against a legit company. It's not the great USA if the big guys arent screwing the little guys and getting away with it right?More like you don't have a legal leg to stand on... since, ya know... there's nothing wrong with them ignoring your demands and you're essentially trying to extorting money from a company.
If you truly have a contract with them, then it's a matter you should be discussing with a lawyer and not the Better Business Bureau.

Yeah I am writing up a full technical documentation of it as well as using my own spruz account I just made to further test my exploit to see exactly how far this rabbit hole will take me into their servers.

They pull the last string, and if they do it will open up a door to hell because I will most definitely have a full easily implemented exploit to not only dump ALL server end source for public viewing into a downloadable medium but also dump all server end variables so people have info on EVERYTHING. Think it is about time people start standing up and saying FU** YOU CORPORATE LEGAL FAVORITISM.Exactly what "strings" are they pulling?
From the sounds of it, you're the aggressor who's getting upset that you're being ignored.


QUOTE(Xeology @ Apr 15 2011, 01:32 AM)

As a side not for discussion. All these companies talk about their "intellectual property" and how pirating is "bad". But this work and exploit is MY intellectual property and neither does the government legal system nor the companies give a rats ass even that they would be stealing my work. So in my opinion, start screwing the big guys. Have a console or pc (games)? GOOD, hack it and pirate the hell out of it and make these assholes whine like a little pig when they see their sales drop because in the end all these companies are all the same and you cant have ethics with un-ethical providers.

/rantdone

Huh?? You make ZERO sense there...
In what way would they be stealing your exploit? R DEY HAXIN UR MIND? STEELING UR MEGAHURTZ?
Exactly what good would your exploit code do for them? They have no interest in your exploit code, their concern would be to fix the exploit you used which wouldn't involve any code you seem to have at the moment.

 

[Xeology]

Yeah I am going to post back an email, believe it or not the BBB turned it down, most likely bcause it is a legit case against a legit company. It's not the great USA if the big guys arent screwing the little guys and getting away with it right?More like you don't have a legal leg to stand on... since, ya know... there's nothing wrong with them ignoring your demands and you're essentially trying to extorting money from a company.
If you truly have a contract with them, then it's a matter you should be discussing with a lawyer and not the Better Business Bureau.

Yeah I am writing up a full technical documentation of it as well as using my own spruz account I just made to further test my exploit to see exactly how far this rabbit hole will take me into their servers.

They pull the last string, and if they do it will open up a door to hell because I will most definitely have a full easily implemented exploit to not only dump ALL server end source for public viewing into a downloadable medium but also dump all server end variables so people have info on EVERYTHING. Think it is about time people start standing up and saying FU** YOU CORPORATE LEGAL FAVORITISM.Exactly what "strings" are they pulling?
From the sounds of it, you're the aggressor who's getting upset that you're being ignored.


QUOTE(Xeology @ Apr 15 2011, 01:32 AM)

As a side not for discussion. All these companies talk about their "intellectual property" and how pirating is "bad". But this work and exploit is MY intellectual property and neither does the government legal system nor the companies give a rats ass even that they would be stealing my work. So in my opinion, start screwing the big guys. Have a console or pc (games)? GOOD, hack it and pirate the hell out of it and make these assholes whine like a little pig when they see their sales drop because in the end all these companies are all the same and you cant have ethics with un-ethical providers.

/rantdone

Huh?? You make ZERO sense there...
In what way would they be stealing your exploit? R DEY HAXIN UR MIND? STEELING UR MEGAHURTZ?
Exactly what good would your exploit code do for them? They have no interest in your exploit code, their concern would be to fix the exploit you used which wouldn't involve any code you seem to have at the moment.

Lols extorting them? No i came to them nicely and offered what they needed, a security fix. This exploit is retardedly basic and any nut monkey will figure it out eventually. I offered them the full technical write up and they offered back WITH A SIGNED CONTRACT a price for the service. If they didn't want it they could have said we are not interested. But they did not.

As per contract I disclosed the exploit and exactly how to fix it (the fix and the security details and write up being MY intellectual property)

They took off with the code and me with no money AS CONTRACTED - ethics go right out the window now.

They violated a contract and now have effectively stole my property which was under contract to be bought. Because plain and simple if they didnt buy it from me the next hacker might of just shit bombed their entire site and called it a good day. I offered security from that.

And correction I have a lawyer who is very interested, buddy of mine just got back to me with his number.

At this point if you cannot see how a company stealing information that they would pay thousands for an employee to do is wrong then your ethics are just as bad bud.

(and as a correction I detailed a full code that could be injected to deface sites and a full patch to fix it, so yes there is code)

 

[twiztidsinz]

Lols extorting them? No i came to them nicely and offered what they needed, a security fix. This exploit is retardedly basic and any nut monkey will figure it out eventually. I offered them the full technical write up and they offered back WITH A SIGNED CONTRACT a price for the service. If they didn't want it they could have said we are not interested. But they did not.Initially, and what I based my comments on, you said you demanded a sum of money. Now you're saying they offered you money after you contacted them.
So which is it?

As per contract I disclosed the exploit and exactly how to fix it (the fix and the security details and write up being MY intellectual property)

They took off with the code and me with no money AS CONTRACTED - ethics go right out the window now.

They violated a contract and now have effectively stole my property which was under contract to be bought. Because plain and simple if they didnt buy it from me the next hacker might of just shit bombed their entire site and called it a good day. I offered security from that.Which is why this is a matter for a Lawyer, not the BBB.

QUOTE(Xeology @ Apr 15 2011, 02:28 AM)

And correction I have a lawyer who is very interested, buddy of mine just got back to me with his number.

At this point if you cannot see how a company stealing information that they would pay thousands for an employee to do is wrong then your ethics are just as bad bud.

At no point until now have you mentioned a lawyer.
And I doubt they'd 'pay thousands for an employee' to do what you described as 'retardedly basic' and that 'any nut monkey will figure it out eventually'.



So I ask again, which "strings" are they pulling to justify your aggression against them?
If they broke the contract your first call should have been to a lawyer, not a post on a forum about whether or not you would be morally justified in attacking this company and possibly causing damage to them.

 

[Xeology]

Lols extorting them? No i came to them nicely and offered what they needed, a security fix. This exploit is retardedly basic and any nut monkey will figure it out eventually. I offered them the full technical write up and they offered back WITH A SIGNED CONTRACT a price for the service. If they didn't want it they could have said we are not interested. But they did not.Initially, and what I based my comments on, you said you demanded a sum of money. Now you're saying they offered you money after you contacted them.
So which is it?

As per contract I disclosed the exploit and exactly how to fix it (the fix and the security details and write up being MY intellectual property)

They took off with the code and me with no money AS CONTRACTED - ethics go right out the window now.

They violated a contract and now have effectively stole my property which was under contract to be bought. Because plain and simple if they didnt buy it from me the next hacker might of just shit bombed their entire site and called it a good day. I offered security from that.Which is why this is a matter for a Lawyer, not the BBB.

QUOTE(Xeology @ Apr 15 2011, 02:28 AM)

And correction I have a lawyer who is very interested, buddy of mine just got back to me with his number.

At this point if you cannot see how a company stealing information that they would pay thousands for an employee to do is wrong then your ethics are just as bad bud.

At no point until now have you mentioned a lawyer.
And I doubt they'd 'pay thousands for an employee' to do what you described as 'retardedly basic' and that 'any nut monkey will figure it out eventually'.



So I ask again, which "strings" are they pulling to justify your aggression against them?
If they broke the contract your first call should have been to a lawyer, not a post on a forum about whether or not you would be morally justified in attacking this company and possibly causing damage to them.

Never said I demanded, just asked whats in it for me being that i did the work for them.

I didnt mention a lawyer till now cause i didnt have one, my friend gave me a call saying to use this guy he uses. Which is only giving legal advice cause i dont want to waste my time in us law, my children wouldnt even see the money lol.

And yes, they would pay thousands. How much is a php developer paid a year nowadays? ALOT. And they would have had to hire one to not only search out the issue if they did not take my offer but to also patch it up.

Never said they were pulling strings on the situation, just my mood and the trap door under their feet if they dont keep good on the contract considering I did.

And I am posting on here, just like I said before, for fun. Just to talk. It's late and I am bored >.

 

[FAST6191]

@Xeology by all means be pissed but you are running the risk of saying something silly at this rate that could later harm you if and when it comes to sitting in front of the beak- you already effectively just disclosed an unpatched attack in damn near exploit form.

Also re BBB granted you are probably not in an ideal position here (I assume they are not in the same state) but do not most people usually skip them and head to the state/district attorney's office or something like that (granted the sums are a bit low right now). Certainly when dealing with some house and car sales types they would be first on my list with only a token/"just to say I did" call to the BBB.

@twiztidsinz

....
I approached them and basically said I know it and I will give them all the details, for a price, the economy is shit and this is my living. They offered $250 on confirmation (in contract) of the exploit.
....

This post has been edited by Xeology: Yesterday, 06:08 AM
Bolding is my own, apologies if this was the thing that was edited and you replied to the first revision.

Carrying on.
"And I doubt they'd 'pay thousands for an employee' to do what you described as 'retardedly basic' and that 'any nut monkey will figure it out eventually'."

http://www.google.com/Top/Computers/Securi...ration_Testing/
Granted this is contractors and outside companies but the principle applies and let me assure you these people do cost a pretty penny.

I know I already shot down my web skills in an earlier post but unchecked inputs (especially to a hidden field) and indeed I am not sure you can even justifiably use hidden fields for anything critical these days (we have scripting languages for a reason) are two of the most simplistic security mistakes out there.
Equally if they are on a shared hosting platform and they did not kick it up to VM level (I assume Xeology did not punch through a VM and instead gained something that approximated root access to a shared server) in this day and age (granted they appear to be using IIS at some level which might make that a bit expensive) that is an eyebrow raiser.
Equally do a search for "bug bounty"- a great many companies offer rewards for this sort of thing.

QUOTE"Xeology: But this work and exploit is MY intellectual property and neither does the government legal system nor the companies give a rats ass even that they would be stealing my work. "
Huh?? You make ZERO sense there..."

"twiztidsinz: In what way would they be stealing your exploit? R DEY HAXIN UR MIND? STEELING UR MEGAHURTZ?
Exactly what good would your exploit code do for them? They have no interest in your exploit code, their concern would be to fix the exploit you used which wouldn't involve any code you seem to have at the moment. "

It is the same logic that means a photograph of you is the intellectual property of the person that took it until/unless the rights are signed over or perhaps a variation on the rights afforded to publishers of out of copyright books (the typesetting and the like being the work that is protected). There is also a growing concept of exploits as a computer language of sorts* (with the right amount of exploit you can have a turing complete language) which effectively makes it a program and thus placing us in the far more established (not that the exploit for sale method is not acceptable) realm of software sales.
If they as a web service company have zero interest in security then I shall say they as a company clearly have no interest in lasting the month.

*found the video- http://www.youtube.com/watch?v=EHfGP1WHiZs it is later on but the whole thing is good. Whether you want to try it on in court (especially when you seem to have a clear violation of contract) is a different matter entirely.

To this end @twiztidsinz assuming you are not doing some form of devil's advocate/argument from the perspective of a less than technologically capable judge I implore you to read up on the state of computer security as it applies to the law- your arguments seem to be based on a somewhat earlier understanding of the law which has since been seriously warped by the modern age. If not this a clear cut case of someone seeing the need for a service/item that was lacking in a given industry aka the definition of a good/useful business or industry.

As for posting here I would argue it does not need to be a case of "the only people to win are the lawyers"- something that cuts both ways (bad PR for a company like this is not something that is easily recovered from) and discussion is always fun.

 

[unseen4ce]

I think they did the wrong thing, if you have a contract, sue them; otherwise I would make them pay in someother way. Teach them a lesson.

 

[Xeology]

They said they did not deem it a true threat and I need to proove what I say. To try to push me into breaking laws and being prosecuted so they do not have to pay? Nah, I'll leave it to others. I am goinging to SLOWLY release the exploits and how they function building up to the big ones last, except one that I would like to save for myself sorry guys!

Here is the site http://proofm3.webs.com/

 

[Sausage Head]

How much of these exploits have you found?

 

[Xeology]

If you mean the ones posted, I found them all, if you mean altogether including un-posted, around 10 so far. Many of them based off of the ones posted.

 

[Oveneise]

Don't ruin their site or steal their stuff. Just respectfully tell them that there is a major flaw in their security and tell them to hand over the cash, and you'll give them the details.

 

[Xeology]

Don't ruin their site or steal their stuff. Just respectfully tell them that there is a major flaw in their security and tell them to hand over the cash, and you'll give them the details.

Read the whole post lol, we tried the respectful way. They took the exploit, signed a contract and refused to pay and then said that they needed more proof in an attempt to set me up to void the contract. I'm over this ethical crap. They don't want to play a nice fair game then why should I. They steal food off of my table and I'll take it right back off of theirs.