Discovered a vulnerability in another website. Make it public?

Paul_Heery · Paul_Heery's Garage

I am in midst of a minor moral quandry. I am sure that some of the folks here can offer their opinions.

A few months back, I discovered a vulnerability with a points-based loyalty system that affects 613 different websites/radio stations that I am aware of. There may be more. I have attempted to do the right thing by notifying and communicating with the owner of the system. But, I guess it is not important to them to run a loyalty system that cannot be compromised.

Now, it is quite possible that you may participate in some of these programs yourself. Some stations refer to their programs with monikers such as "Work Force", "VIP Program", "Loyal Listeners", etc. If so, your ability to win prizes such as free concert tickets may be severly impacted if I am not the only one aware of the flaws. I know it is not a big thing. But, the lack of concern displayed by the Loyalty Company really irks me.

My email communictions regarding this are spelled out below.

Quote:

Originally Posted by from Me to the local radio station

***,

First off, I want to extend a hearty thank you to you and the station for the Elvis Costello tickets. My wife and I had a fantastic time. I can honestly say that it was one of the best concerts I have attended in years.

Now, on to other things. I listen to **** online everyday while I am working in my office. The other day, I noticed that I need to sign-in with my *** credentials on the Flash app to earn points, which I did. Well, you may know that since the station switched loyalty providers there is now a timer that counts down every 15 minutes. Then, you need to click again to earn more points. I was intrigued regarding the coding behind this and decided to take a closer look while eating my lunch today.

Before I go on, let me mention that before lunch I had around 4,000 points. Now, less than 15 minutes later, I have over 100,000 points. I've included a screenshot of part of the *** page to show you. If I wanted to, I am sure I could have my point balance in the millions by now. Don't worry, I have no intention of abusing the system like that.

Needless to say, the coding behind this feature is rudimentary, insecure and is ripe for abuse.

If you need any more information, let me know.

Regards,

Paul

The station's promotion director responded almost immediately with this:

Quote:

Originally Posted by Station Promotions Director

THANKS FOR BRINGING THIS TO MY ATTENTION! I have forwarded your e-mail to our IT department and hope to get more of a handle on this. That's a bit ridiculous. I agree with your last sentence 100%. Thanks again.

Best,
***

One month goes by. During that time, I intentionally added 4 million points to my account while testing a script. The script works great. I can actually add millions of points per hour. Then, I receive this email:

Quote:

Originally Posted by Loyalty Company Douchebag

Paul,

Thanks for bringing the issue regarding the Listen Live feature for **** to our attention. Can you share how you found the programming hole that could allow for listeners to accrue so many points?

Thanks,

***** ******

To which I responded:

Quote:

Originally Posted by from Me

*****,

It was actually very simple. I was surprised to see how easy is was. It took me about three minutes to find the flaw.

I listen to **** online everyday while I am in my office. When **** switched over to using your system, I was a little irritated with the need to click every 15 minutes to earn points via the STW player. But, I was intrigued regarding how the mechanism was setup. My thought process was that the Flash player must have a timed sequence that periodically (15 minutes) opens a connection to another service or server that records the points. I was right about the Flash app, but I was surprised when I found that it was communicating to another server that allows continuing, unauthenticated connections.

Here is how I discovered the flaw. I was eating lunch at my desk one day when I saw that the STW player wanted me to click to earn more points. So, I decided to open up a protocol analyzer on my PC to see what connections were opened and what communication was going on. I found everything I needed to exploit the deficiencies of your system in clear text in one packet. This allowed me to pass a string through the address bar on a browser. If you want to give me 250 points on my account, open this address in your browser.

http://api.********.com/Subscriptions.svc/CreditPoints/********/***/STW/***************/0/0/0

You will see that you can continually refresh that page and add points at will. There is no timeout or limits on retries. If I were so inclined, I am sure that I could put together a simple script could add millions of points every hour.

If you need any information or would like to discuss this, please feel free to give me a call on (***) ***-****.

Paul

It has now been months. The Loyalty Company Douchebag has never responded to me. The flaw still exists. And, because it is a centralized system, the flaw exists for all of the 613 stations that currently subscribe to this loyalty program.

What should I do?
1. Let it go. It is not important enough to worry about.
2. Notify the station managers of all of the subscribing stations.
3. Make the flaw and the steps to compromise it public.
4. PM the compromise to me. I like free tickets.

stomachmonkey · 12-23-2010, 07:44 AM

Hmmm,

I'd read the privacy and EULA for the Loyalty Program.

You may have exposed yourself to a legal issue.

Very common verbiage in them regarding using tech/packet sniffers/scripts to manipulate the system.

I know you are trying to do the right thing but as we've all found out at various times in our lives, no good deed goes unpunished.

Scott

Joe Bob · Joe Bob's Garage

No good deed goes unpunished.....

Paul_Heery · Paul_Heery's Garage

I've carefully read the ToS for the loyalty program. I have not violated any of the terms and conditions. Since I have not attempted to redeem or otherwise use my accumulated points, the best they can do is to terminate my account.

The latest court cases that have dealt with accessing systems through URL-manipulation have all been in favor of the manipulator. The prevailing opinion of the courts has been that the burden falls on the site owner to make sure that their sites are secure and content that should not be available is really secured and NOT AVAILABLE.

Gogar · 12-23-2010, 08:08 AM

Notify the folks you can, maybe find "Loyalty Company Douchebag"'s superior, and then you have to just let it go.

Moses · 12-23-2010, 08:45 AM

Dear neighbor,

I noticed you installed a very primitive security system in your home, so I bypassed it and stole your TV.

Regards,

Moses

cashflyer · 12-23-2010, 09:42 AM

You should report the flaw to Wikileaks.

widebody911 · widebody911's Garage

While you haven't violated the TOS, you've probably violated the DMCA.

Jagshund · 12-23-2010, 11:22 AM

I'm guessing that if it were made public they'd address the issue rather quickly.

onlycafe · 12-25-2010, 05:20 PM

huh?