Hacker News new | ask | show | jobs
by lebowen 3246 days ago
A few years ago I also found a serious bug in a debt collection agencies web software. I ordered a phone and neglected to pay import tax and was chased by the agency. I found their website and saw that they developed their management software in-house and made it available for purchase for other agencies.

They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:

http://demosoftware.com/reports/ajax.php?sql=SELECT * FROM debts

I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.

At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.
4 comments
Rjevski 3246 days ago
You don't erase just your debt, you open up Tor browser and drop the entire database. That'll teach them for next time.
link
kogepathic 3246 days ago
> you open up Tor browser and drop the entire database

Apart from being a federal crime (CFAA), it would be rather obvious by the logs that a user was testing SQL injection on the demo system minutes before the production system was vandalised.

A better option would be to pay the debt, and then let them know you found a potential issue on their demo system. Let them connect the dots between demo system and production system. If they can't make the logical leap, then they deserve whatever someone else does.

link
Rjevski 3246 days ago
Well obviously if you do that you wouldn't be testing the SQL injection for your main connection to begin with.

I'm not arguing against paying the debt - I would pay it in either case. However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

link
tertius 3246 days ago
> However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

I understand the feeling here, but no, they don't deserve to get their assets destroyed because of a lack of care.`

link
Rjevski 3245 days ago
Why not? Destroying the company means they won't be there anymore to put everyone's PII at risk.
link
tertius 3245 days ago
Because private property is a cornerstone of a free society?

You can't just destroy someone else's property because you have some personal anarchist notion of justice.

If they are really being negligent then they should face the proper penalties.

link
koolba 3246 days ago
Better to pay your debt, wait till your PII has been removed, then issue a public disclosure of the bug.

Public disclosure because everybody should know about something like this that may impact them. Not because some random vigilante will see it and drop their DB for which they probably have no backups.

link
loceng 3246 days ago
Make a backup for them first too, just in case they don't have one..
link
rbanffy 3246 days ago
This is very evil...
link
taurath 3246 days ago
In most of my D&D games it might be considered chaotic good depending on the debt collector.
link
snakeanus 3246 days ago
Such companies are usually extremely shady and unethical, I would not consider it evil at all to delete all of their recorded debts via tor or something.
link
otterley 3246 days ago
Would you gladly go to prison for it?
link
nsaslideface 3246 days ago
An interesting moral query: how much debt erased is worth a prison sentence of X years?
link
snakeanus 3246 days ago
No, which is why I mentioned tor.
link
andai 3246 days ago
In case anyone feels like doing something like that, this talk is worth a listen:

https://www.youtube.com/watch?v=eQ2OZKitRwc

A talk on how Tor users got caught. In a nutshell: it wasn't Tor's fault, but bad OPSEC on the part of the users.

link
logfromblammo 3246 days ago
Also, it is worth considering that debt collection agencies are very good at finding people, and very bad at upholding ethical standards. Going to prison is not the worst case scenario.
link
esrauch 3245 days ago
Is it actually profitable to do that sort of unethical activity though? These aren't exactly loan sharks right?
link
otterley 3246 days ago
If you think you can't get caught because you use Tor, I know of a few people who can testify otherwise. See, e.g., Ross Ulbricht and Christopher Grief, to name a few.
link
ralfd 3246 days ago
Go to the public library and use a pc there? Or a free wifi in a mall?
link
amclennon 3245 days ago
See the previous point about Ross Ulbricht (arrested in a public library)
link
robtaylor 3246 days ago
This is where anonymous notification / bug reports are useful, and then follow ups in public if no action after a period of time.
link
lightedman 3246 days ago
I personally would have said to them "Would you like a fair trade? I've discovered a huge problem in your software that could allow anyone to remotely wipe their debt without you really knowing about it. I'll give that information in exchange for elimination of my debt. The money you'd lose from me is utterly dwarfed by the money you'd save by locking down this security issue, an issue which many bad actors would pay millions for. It makes financial sense and you'd be covering yourself security-wise. Win-win for all involved!"
link
enriquto 3246 days ago
Sounds like you are threatening them. The idea is OK but the language should be much more subtle to be effective.
link