Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
The Book Store Case
Posted by: jungsonn
Date: December 01, 2006 08:22AM

When I buy books, I buy them most of the time online in my favorite bookstore.
The company is very huge in the world, I promised no one to tell who they are: They've got all my personal info, from my name to my accountnumber. So, I hope they protect their site against known XSS vectors, like we discus here. I thought about testing the website, and I did. I found the first hole in seconds and yeah in the searchfield. So their security is at risk, but moreover MY privacy is at risk now that i know all my data lies up for the grabs, as so to speak. So i did what i sworn never to do again: I contact them about this. Given them 5 days to fix the holes or else i would disclose their XSS holes.

3 days later i got an email, the Book Store thanked me very much for reporting these found holes. they've contacted IT and they are going to fix it A.S.A.P
Then i get a discount coupon from them, on my next order i can use it to order something with a very generous discount. :)

I guess it can pay of to be a little more diplomatic to contact them first about this, and see what happens. In any case, it came as a surprise.

Options: ReplyQuote
Re: The Book Store Case
Posted by: id
Date: December 01, 2006 02:58PM

Haha, cool. Hope you told them about this site too so they can catch any other holes from people that might not be interested in free coupons.. ;)

-id

Options: ReplyQuote
Re: The Book Store Case
Posted by: jungsonn
Date: December 01, 2006 07:43PM

Haha yeah if i give you the link you surely could try, but that XSS hole was so common, i don't think they patch them all on their sites. Maybe i'll disclose it, but after they fixed the one i found, a promise is a promise. ;)

Oh, BTW i'm gonna order some new books now :)

Options: ReplyQuote
Re: The Book Store Case
Posted by: Mephisto
Date: December 02, 2006 01:38PM

It's nice to see a company appreciate what you did, rather than threatening legal action as a result of disclosing it to them.

All too often companies take a defensive stance to being informed of these things.

I even had one company tell me, after disclosing a SQL Injection vulnerability, "It's not that big of a concern to us, because our database is backed up everynight".

They were obviously oblivious to the true severity of the issue, even after I attempted to inform them of vast amount of things that could happen as a result of the vulnerability. I was finally sent a "thanks, but please stop bothering us about it" email.

Options: ReplyQuote
Re: The Book Store Case
Posted by: jungsonn
Date: December 02, 2006 04:06PM

Yes that's pretty amazing, heh, i wonder what they said if you exported or remotely transfered their db to yours. :)

But i did buy 2 crypto books i wanted today with the coupon, so i can study further, it really does say something about the company in question, hats of for them.

Options: ReplyQuote
Re: The Book Store Case
Posted by: Mephisto
Date: December 02, 2006 05:04PM

What crypto books did you get? I was looking into getting "Cryptography Decrypted" (link below), but not sure which crypto books would be considered better than others.

Cryptography Decrypted - http://www.awprofessional.com/bookstore/product.asp?isbn=0201616475&rl=1#info2

Options: ReplyQuote
Re: The Book Store Case
Posted by: jungsonn
Date: December 02, 2006 05:42PM

1 from schneier, "secrets and lies" is a must have.
and the new one from Mitnick: "The Art of Intrusion" (not really crypto actually though :)

Looks like a nice book on the link you gave, didn't know that one. But mostly i'm sticking to the authors of crypto algo's like Ferguson, Schneier, Daemen, Rijmen, etc. when buying such books on that topic.

Options: ReplyQuote


Sorry, only registered users may post in this forum.