hsukowa@yahoo.com
06/08/07, 22:43
My apologies if this question is inappropriate for this email list, but it is a last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private information of thousands of individuals - including SSN and address information. I cannot judge whether or not the exploit is easy to find. I do know that if found, it would not be difficult to write a simple script in php or perl to exploit the hole.
My concern is that the company responsible for this hole (for whom I am currently employed) will patch the problem on seeing it occur on Monday (a good thing) but do little or nothing to notify any user whose private information is on their system (downplaying the likelihood of risk). This exploit has very likely existed for years and whether or not a company typically keeps logs for years is beyond my knowledge - the exploit is however detectable through web log files. I also lack faith in the company's ability to make an objective determination whether or not the exploit has been used to download the private information of its' users.
My question is this - does anyone out there have any experience dealing with this type of a situation? --- Where a company has silenced an exploit without notifying customers who may have been victims of it? Does anyone have any recommendations for a course of action I might take to somehow ensure users whose private information may have been compromised are notified in the event the company chooses to "sweep it under the rug"?
Again my apologies if my asking this question in the wrong forum has offended anyone.
And many thanks to anyone who responds.
In the last 36 hours I uncovered an exploit that compromises the private information of thousands of individuals - including SSN and address information. I cannot judge whether or not the exploit is easy to find. I do know that if found, it would not be difficult to write a simple script in php or perl to exploit the hole.
My concern is that the company responsible for this hole (for whom I am currently employed) will patch the problem on seeing it occur on Monday (a good thing) but do little or nothing to notify any user whose private information is on their system (downplaying the likelihood of risk). This exploit has very likely existed for years and whether or not a company typically keeps logs for years is beyond my knowledge - the exploit is however detectable through web log files. I also lack faith in the company's ability to make an objective determination whether or not the exploit has been used to download the private information of its' users.
My question is this - does anyone out there have any experience dealing with this type of a situation? --- Where a company has silenced an exploit without notifying customers who may have been victims of it? Does anyone have any recommendations for a course of action I might take to somehow ensure users whose private information may have been compromised are notified in the event the company chooses to "sweep it under the rug"?
Again my apologies if my asking this question in the wrong forum has offended anyone.
And many thanks to anyone who responds.