What happens if you openly report on the vulnerabilities of government sites
About a month ago, a sixteen-year-old Australian schoolboy Joshua Rogers got the idea to test the public transport management of Melbourne Public Transport Victoria (PTV) ptv.vic.gov.au for strength. It is not quite clear what exactly the young man used as a tool for his actions (there is an opinion that it was just a vulnerability scanner downloaded from the network and redirected to a specific URL), but for this he and his parents had to seriously worry.
The site’s database did contain critical information: the full names of users, their postal addresses, email addresses and 9 digits of credit card numbers belonging to a recently closed store on the site, the city’s transportation projects — about 600,000 records in total. It is likely that the database queries were not filtered in any way, which enabled Joshua to be the very first to write to the site management about the detected SQL injections with a warning about potential problems.
As usual, at first nobody paid attention to the guy’s letter or didn’t even understand what it was about. Joshua turned to the local media and only after that (there was still no open publication) the PTV leadership cheered up, but found nothing better than to go to the police with a statement about unauthorized access to their network. Interestingly, the incident with Joshua occurred within a few weeks after an audit of computer security warned that government websites were very badly prepared for hacker attacks - in total, they counted more than a hundred holes.
The local cyber-attacks expert Phil Kurnik put it like this: yes, it is obvious that Rogers committed a crime by gaining illegal access to the database, but the site itself, which was not able to protect its data, was equally guilty. As a result, since Joshua did not publicly disclose the information, it’s likely that everything will end relatively well, but the main thing is that the authorities officially admitted that "... if this kid could find [vulnerability], then he was not the first. "
')
[ Source ]
The site’s database did contain critical information: the full names of users, their postal addresses, email addresses and 9 digits of credit card numbers belonging to a recently closed store on the site, the city’s transportation projects — about 600,000 records in total. It is likely that the database queries were not filtered in any way, which enabled Joshua to be the very first to write to the site management about the detected SQL injections with a warning about potential problems.
As usual, at first nobody paid attention to the guy’s letter or didn’t even understand what it was about. Joshua turned to the local media and only after that (there was still no open publication) the PTV leadership cheered up, but found nothing better than to go to the police with a statement about unauthorized access to their network. Interestingly, the incident with Joshua occurred within a few weeks after an audit of computer security warned that government websites were very badly prepared for hacker attacks - in total, they counted more than a hundred holes.
The local cyber-attacks expert Phil Kurnik put it like this: yes, it is obvious that Rogers committed a crime by gaining illegal access to the database, but the site itself, which was not able to protect its data, was equally guilty. As a result, since Joshua did not publicly disclose the information, it’s likely that everything will end relatively well, but the main thing is that the authorities officially admitted that "... if this kid could find [vulnerability], then he was not the first. "
')
[ Source ]
Source: https://habr.com/ru/post/208604/
All Articles