[WEB SECURITY] another good guy is charged

Jeremiah Grossman jeremiah at whitehatsec.com
Wed Apr 26 16:19:51 EDT 2006 

Eric McCarty uncovers a SQL Injection vulnerability in USC's website  
[1], collected a small amount of data to prove an exposure existed,  
and disclosed the issue with the assistance of SecurityFocus [2]. For  
his trouble he now faces computer intrusion charges [3]. This story  
is similar to that of Daniel Cuthbert's from last year [4]. The big  
difference seems to be that Eric actually gained access to sensitive  
information, although likely because USC initially didn't understand  
the issue until proof was shown.

"USC administrators initially claimed to SecurityFocus that an  
analysis of the system and log files indicated that only two database  
records could be retrieved using the SQL injection flaw. After  
additional records were provided to the administrators, the  
university acknowledged that the entire database was threatened by  
the flaw."

For all we know Eric was not the first person to find the issue, just  
the first to disclose it. Without the disclosure, the data of 280,000  
applicants could very well still be at risk. More caution should have  
been exercised. Though it doesn't change the fact that the risks for  
security researchers of public websites, as opposed to software, are  
much greater.  Finding a new vulnerability in an operating system  
does not immediately give a person access to the sensitive data of  
thousands. You can safely and legally test on systems you own. Maybe  
its time the (webappsec) industry begin discussing "responsible"  
disclosure practices with regards to real website hacks as was done  
with RFPolicy [5].

We all know that the vast majority of websites are vulnerable, its  
just a matter of someone looking. So if the good-guys become  
unwilling or unable to disclosure, and the bad-guys certainly aren't  
going to, where does that leave us?


Regards,

Jeremiah Grossman
Founder and CTO
WhiteHat Security, Inc.



-----

[1] Flawed USC admissions site allowed access to applicant data
http://www.securityfocus.com/news/11239

[2 ] Breach case could curtail Web flaw finders
http://www.securityfocus.com/news/11389/1

[3] Man charged with accessing USC student data
http://www.securityfocus.com/brief/191

[4] Tsunami appeal site 'hacker' found guilty
http://news.zdnet.co.uk/0,39020330,39226548,00.htm).

[5] Full Disclosure Policy (RFPolicy) v2.0
http://www.wiretrip.net/rfp/policy.html

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

More information about the websecurity mailing list