Hacker News new | ask | show | jobs
Ask HN: How should I disclose a vulnerability in a site I worked on?
2 points by cowward 4672 days ago
I worked on a website just under 2 years ago. I recently discovered an SQL injection vulnerability which could easily allow any semi competent attacker full access to the database which contains personal details. It's an easy fix, I must have forgotten to escape some inputs. The problem is, I no longer have access to the server and the organisation has heavily restructured with my primary contact having left.

My questions are:

-Under UK law, can I be prosecuted if the site is compromised?

-Are the organisation likely to take action against me if I report the vulnerability?

-Would it be a good idea to disclose the vulnerability anonymously?

Thanks.
1 comments
eksith 4672 days ago
I'm not too familiar with UK law, however, the ethical thing to do would be to reveal the vulnerability.

It would be helpful to know how you managed to come across the vulnerability. Did you scan your own code and see the oversight? If so, then you don't (hopefully) have anything to worry about in reporting. However if you probed the website, then that's a different matter entirely.

It may just come down to how you word the disclosure. If you can somehow go back to your original work and submit the code directly, then you've independently verified the vulnerability without having to display it on the site itself. Something along the lines of "I was going over some of my old code and came across this. If the same code is active on the site, I believe this could be a live vulnerability." Or something like that.

link
cowward 4672 days ago
I actually awoke one night about a week ago, fretting about SQL injections in the site. Upon checking my code my fears were confirmed. I did test the exploit on the live site but didn't actually access the database, just confirmed that it worked.

Have you ever heard of an organisation taking action against a former developer for reporting something like that? If I had a builder build me a house, and he came round a year later to tell me that my walls weren't strong and anyone could just break them down I would be pretty upset.

link
eksith 4672 days ago
Not directly, no. But anecdotally, and on rare occasion, I've heard of legal teams jumping to conclusions etc... and really coming down hard on people who disclose to former employers.

At this point, the option with the fewest risks to your name, if you chose to use it in the disclosure, would be to exclude any mention of the live site completely. Make it appear so that this is only something that you came across on the code and, with your best linguistic poker-face, strictly keep to the code alone without even marginally grazing the live site.

Besides that, you should try and relax a bit. I know, it's easy for me to say, but that will help you come up with the right words. You also have to keep in mind that even though it's a pretty serious bug, it's still A bug. This will far from destroy the company if fixed immediately, as you say, it's a pretty simple fix. You shouldn't imagine the worst case scenario.

link