Security Researcher Threatened With Vulnerability Repair Bill 231
mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."
Re:Obviously (Score:3, Interesting)
> said access is just changing a number in a url because they have a retarded system
I wonder just how many of us have come across such idiocies. I know I have, and yes, I didn't report it because the probability that I would get into trouble by doing so was greater than the damage of email addresses being leaked or having a few people getting their bulk email subscriptions erroneously canceled (it was a company which took care of mass emailing for quite a few clients, including a prestigious scientific journal).
Service Guarantees Citizenship (Score:4, Interesting)
The rule should be: Disclosure Guarantees Immunity
This would lead to some abuse, but it would also lead to disclosure, which is the only way we're going to develop a secure internet. A federal agency could take the reports to keep both sides honest. Immunity could be granted only for what's reported so if people leave something out to hide their malfeasance it wouldn't be covered under immunity. Reports could even be done anonymously if there's an intervening agency.
Re:Obviously (Score:5, Interesting)
I wonder just how many of us have come across such idiocies.
I came across one long ago, back when the internet was more open and trusting - a discovered that a remote server had its root filesystem opened to the world via an NFS export. I emailed the administrator for the server and he said "No worries, you may be able to mount it but file permissions prevent you from doing anything unless you have an account on that server". So I emailed back and said that *any* root user on any server could get full access (this was before the root user was routinely mapped to uid nobody). He said "No, if you're not root on my server you can't get access". So I mounted it read-write from my computer, did a "touch /etc/i_have_access" and told him to look at the file I just created.
He thanked me and stopped exporting the filesystem. If I did that nowadays, I'd likely be facing charges for hacking.
Superannuation lawyer talking trash (Score:5, Interesting)
It is possible that the fund does have a right to recover "costs incurred" under pure contract law, although you would have to read the terms and conditions of whatever product Mr Jarrett has with the fund very carefully. But I would think they should be more worried with Mr Jarrett reporting them to the Australian Privacy Commissioner for breach of the privacy principles in relation to the funds obligations to keep personal information secure. I also wouldn't rule out a breach of standards set by APRA (Australia's banking regulator).
Another funny thing to note is that at the rates which Minter Ellison charges, the cost of getting Maged's junior lawyer to write that letter is likely to be far more than the cost of any actions the trustee of the Fund actually needed to take to deal with the problem!
I could go on, but I'm worried they might track me down and start sending me random threats and try to access my computer.