[Dataloss] Question about exploit exposing SSN & user info (fwd)

security curmudgeon jericho at attrition.org
Mon Aug 6 15:46:03 UTC 2007



---------- Forwarded message ----------
From: hsukowa at yahoo.com
To: bugtraq at securityfocus.com
Date: 6 Aug 2007 02:35:18 -0000
Subject: Question about exploit exposing SSN & user info

My apologies if this question is inappropriate for this email list, but it 
is a last resort and a friend recommended posting this question here.

In the last 36 hours I uncovered an exploit that compromises the private 
information of thousands of individuals - including SSN and address 
information.  I cannot judge whether or not the exploit is easy to find. 
I do know that if found, it would not be difficult to write a simple 
script in php or perl to exploit the hole.

My concern is that the company responsible for this hole (for whom I am 
currently employed) will patch the problem on seeing it occur on Monday (a 
good thing) but do little or nothing to notify any user whose private 
information is on their system (downplaying the likelihood of risk). 
This exploit has very likely existed for years and whether or not a 
company typically keeps logs for years is beyond my knowledge - the 
exploit is however detectable through web log files.  I also lack faith in 
the company's ability to make an objective determination whether or not 
the exploit has been used to download the private information of its' 
users.

My question is this - does anyone out there have any experience dealing 
with this type of a situation? --- Where a company has silenced an exploit 
without notifying customers who may have been victims of it?  Does anyone 
have any recommendations for a course of action I might take to somehow 
ensure users whose private information may have been compromised are 
notified in the event the company chooses to "sweep it under the rug"?

Again my apologies if my asking this question in the wrong forum has 
offended anyone.

And many thanks to anyone who responds.


More information about the Dataloss mailing list