January 10, 2014 at 00:46What happens if you openly report vulnerabilities on government sites
A sixteen-year-old Australian student, Joshua Rogers, about a month ago came up with the idea to check the strength of the Melbourne Public Transport Victoria (PTV) city transport management site PTV.vic.gov.au. It is not clear what exactly the young man used as a tool for his actions (there is an opinion that it was just a vulnerability scanner downloaded from the network and set to a specific URL), but for this he and his parents had to worry a lot.
The site’s database really contained critical information: full user names, their mailing addresses, email addresses and 9 digits of credit card numbers belonging to the recently closed store on the site, transport projects of the city — about 600,000 records in total. It is likely that the database queries were not filtered in any way, which made it possible for Joshua to be the first to write to the site management about the detected SQL injections with a warning about potential problems.
As usual, at first no one paid attention to the guy’s letter or didn’t even understand what it was about. Joshua turned to the local media and only after that (there was still no open publication) did the PTV management cheer up, but found nothing better than to contact the police with an application for unauthorized access to their network. It is interesting that the incident with Joshua occurred a few weeks after the computer security audit warned that state-owned sites were not ready for hacker attacks - they counted more than a hundred holes in all.
The local cyber attack specialist Phil Kernik put it something like this: yes, it is obvious that Rogers committed a crime by gaining illegal access to the database, but the site itself, which was not able to protect its data, was no less guilty. As a result, since Joshua did not begin to publicize the information, it’s likely that it will end relatively well for him, but, most importantly, the authorities officially recognized that “... if this kid could find [vulnerability], then, probably, he was not the first. "
[ Source ]
The site’s database really contained critical information: full user names, their mailing addresses, email addresses and 9 digits of credit card numbers belonging to the recently closed store on the site, transport projects of the city — about 600,000 records in total. It is likely that the database queries were not filtered in any way, which made it possible for Joshua to be the first to write to the site management about the detected SQL injections with a warning about potential problems.
As usual, at first no one paid attention to the guy’s letter or didn’t even understand what it was about. Joshua turned to the local media and only after that (there was still no open publication) did the PTV management cheer up, but found nothing better than to contact the police with an application for unauthorized access to their network. It is interesting that the incident with Joshua occurred a few weeks after the computer security audit warned that state-owned sites were not ready for hacker attacks - they counted more than a hundred holes in all.
The local cyber attack specialist Phil Kernik put it something like this: yes, it is obvious that Rogers committed a crime by gaining illegal access to the database, but the site itself, which was not able to protect its data, was no less guilty. As a result, since Joshua did not begin to publicize the information, it’s likely that it will end relatively well for him, but, most importantly, the authorities officially recognized that “... if this kid could find [vulnerability], then, probably, he was not the first. "
[ Source ]