[WEB SECURITY] another good guy is charged
jeremiah at whitehatsec.com
Wed Apr 26 16:19:51 EDT 2006
Eric McCarty uncovers a SQL Injection vulnerability in USC's website
, collected a small amount of data to prove an exposure existed,
and disclosed the issue with the assistance of SecurityFocus . For
his trouble he now faces computer intrusion charges . This story
is similar to that of Daniel Cuthbert's from last year . The big
difference seems to be that Eric actually gained access to sensitive
information, although likely because USC initially didn't understand
the issue until proof was shown.
"USC administrators initially claimed to SecurityFocus that an
analysis of the system and log files indicated that only two database
records could be retrieved using the SQL injection flaw. After
additional records were provided to the administrators, the
university acknowledged that the entire database was threatened by
For all we know Eric was not the first person to find the issue, just
the first to disclose it. Without the disclosure, the data of 280,000
applicants could very well still be at risk. More caution should have
been exercised. Though it doesn't change the fact that the risks for
security researchers of public websites, as opposed to software, are
much greater. Finding a new vulnerability in an operating system
does not immediately give a person access to the sensitive data of
thousands. You can safely and legally test on systems you own. Maybe
its time the (webappsec) industry begin discussing "responsible"
disclosure practices with regards to real website hacks as was done
with RFPolicy .
We all know that the vast majority of websites are vulnerable, its
just a matter of someone looking. So if the good-guys become
unwilling or unable to disclosure, and the bad-guys certainly aren't
going to, where does that leave us?
Founder and CTO
WhiteHat Security, Inc.
 Flawed USC admissions site allowed access to applicant data
[2 ] Breach case could curtail Web flaw finders
 Man charged with accessing USC student data
 Tsunami appeal site 'hacker' found guilty
 Full Disclosure Policy (RFPolicy) v2.0
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity