[nice__two]

As an Austrian myself, I'm not at all surprised at their reaction. To them, their website is "just IT stuff" and they simply don't have a notion that it would involve any security.

To them you'll likely seem like an overzealous geek that shouldn't mess with their business website. I've experienced this before myself and it's not particularly a good position to be in.

Their site has most likely been technically abandoned, i.e. no one capable is in charge anymore.

It'd be best to talk to the owner, show them your "hack" (change it to cats on your phone and let them verify in their browser) and offer them to fix it for free.

That's how one does these things in our small country. ;-)

[geek_at]

that's actually what I tried to do. In my mind it would go like "hey your site has included a script from a domain I own" - "haha right, that's some legacy stuff thanks for noticing us" - "no worries

but obviously that's not what happened

1. Telling them in person (they didn't understand)

2. Asking for the IT persons Phone number (they didn't give it to me)

3. Leaving my phone number and email (they never contacted me)

4. Notifying the austrian CERT (they never got an answer from the owner)

5. Notifying the press (standard.at posted an article about it, they didn't respond)

6. Writing them on Facebook (ob boy did they respond :D)

But since my first police raid I don't publish anything before letting my lawyer read it. He said if they do press charges they haven't got a chance since I have a paper trail of everything I did and didn't harm them or their site in any way

[_laiq]

The way I see it is, say, you own a house. And you're having someone telling you that it is not properly secured.

If I come up to you, the owner, and kindly warn you that your doors can easily be unlocked, your reaction would probably be a big thank you. But, I also understand that you are free to answer me to get the hell out of your lawn, because it's none of my business.

Sure I am doing it for your safety, for the safety of your kids, your wifes, and your valuables. I have no ulterior motives.

But, you have the right to not want to listen to all the ways an intruder can come to your house and steal all your stuff. You should have the right to find that information useless, and I don't have any say in that.

Now, warning all the town that your house is not secure enough to try to provoke an answer from you ? What do you think about that ? Really curious.

[geek_at]

well in my article I never mentioned their name and pixelated the screenshots. The local paper did the same, it was more of a story "if an it security person tells you you have a problem, you should listen"

In the end it turned out that they didn't "not want to listen" the information just never got to the right person (internally) and I talked quite a bit with the owner (after understanding everything he even thanked me) and he said he never got a contact from CERT but I asked them and they said they wrote them twice.

[jmnicolas]

But why do you care that much about a security flaw in some random site?

Warn them once and if they get hacked it's their problem. What's the proverb? You can lead a horse to water but you can't make it drink.

[girvo]

Dunno if it should be fixed for free by the person who found it, but I also get your point.