Company Thanks Guy Who Alerted Them To Big Security Flaw By Sending The Cops… And The Bill
(TECH DIRT) We’ve seen before that organizations don’t seem to react well to outside security folks pointing out vulnerabilities in their systems. They very often take a “blame the messenger” approach — as if pointing out a flaw suddenly makes that flaw come into existence. But one company seems to be taking it to another level. That Anonymous Coward points us to a story in which a security professional found a big and ridiculously obvious bug in the website of an Australian investment fund, First State Superannuation. Apparently you could see other people’s accounts by merely changing the account numbers in the URL. Increase the number by one, and see the next user in line. This is the kind of extraordinarily basic mistake that I thought had been eradicated a decade ago. Apparently not.
But the company that runs the fund, Pillar, went quite crazy about this. While the company did fix the security hole, it also sent the police to interrogate the security researcher, Patrick Webster. Pillar also sent a letter to customers (pdf) in which it suggests that Webster created this massive security flaw, rather than their own dreadful programming:
It has come to our attention that a member of First State Super, who has online access to their account, devised a way to view an image of your statement.
And then, to add insult to injury, Pillar sent Webster a letter saying he broke the law, they were closing his account, and may seek money from him to fix the vulnerability:
Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar’s systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.
Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund’s website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.
In addition, the Trustee reserves its rights to require you to allow it’s (sic) IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.
In the meantime, the Trustee has suspended your online access to the Member Section of the Fund’s website.
Yup. Help Pillar out, uncover a basic programming/security mistake that puts the info of tons of people at risk, and get punished. Pillar apparently prefers to have people never report any problems they find with its system at all, keep its head in the sand, and instead allow malicious hackers to run wild through a totally insecure system. Brilliant work.