Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
to publish or not??
Posted by: antu0500
Date: March 12, 2009 04:10PM

Some time ago I discovered a serious security hole in eBay and Paypal. The exploit itself highlighted 2 other minor (but problematic) loopholes. I contacted them and got the exploit fixed. It has now been fully patched.

We don’t have any formal agreement except a non-disclosure clause until the hole was fixed. Which is now done.

I want to know if I publish my findings now, without any approval from the respective companies ( which they won't give), will I be in any sort of trouble.


Both the exploits and my personal experience with them highlighted some severe shortfalls on their behalf, security wise. Can they legally challenge me for defamation or something like that?

Again I don’t have any agreement with them, and I can backup all my criticisms with solid proof.

Am completely clueless about these things, any insights?

Options: ReplyQuote
Re: to publish or not??
Posted by: id
Date: March 12, 2009 09:12PM

If you didn't sign any legal agreement with them, and the hole is fixed, I don't see any issue with you disclosing it. HOWEVER, I am not a lawyer and no one should listen to anything I say in legal matters, ever.

-id

Options: ReplyQuote
Re: to publish or not??
Posted by: thrill
Date: March 13, 2009 08:26AM

Quote

I am not a lawyer and no one should listen to anything I say in legal matters, ever.

Then why waste the bandwidth and time of this poor guy?

But I agree with id.. of course you found the flaw 'accidentally' right? Then there's no issue.. it's not like you were trying to hack into them for fortune and fame.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: to publish or not??
Posted by: antu0500
Date: March 13, 2009 12:28PM

Thanks id and thrill for your inputs.

thrill, the discovery of the flaw was not exactly accidental. I had a few makeshift theories i was testing (long story), but i was extremely lucky to get the rite method at the rite period of time.

I can't say i was hoping for fame and fortune, but i sure expected something to come out of it. But unfortunately the exploit seemed to surreal, and my pr skills so rubbish that no one believed me at that time,

heck i was even chasing ebay for months through every medium available to beg them to believe me that i hacked them. It has taken so long that even the little expectations i had all dried up.

Options: ReplyQuote
Re: to publish or not??
Posted by: thrill
Date: March 13, 2009 01:45PM

Yes, the discovery was accidental.. you made a mistake by pasting something into the address bar and wham, a funny thing happened.. please edit your post to reflect that.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: to publish or not??
Posted by: rotemb
Date: March 16, 2009 10:25AM

Hey there, I also had the same problem and I really was innocent.. I did a security check to my client and used my personal gmail as the email address..
What happened was that they weren't vulnerable to xss.. but when I got into my gmail account I saw a message from my clients servers.. when I opened it I got a nice alert message LOL :) with my xss..

I disclosed it to them and they fixed it in about 2 days :)
It was a very funny week, I told all my friends, and got a backlink from google itself

Options: ReplyQuote


Sorry, only registered users may post in this forum.