| || |
Dont report security flaws in Australia!!!!
This is hilarious! And a sobering reminder to organisations who expose business on the Internet.
'First State Super' - An Australian superannuation company who (if they havent gone bust due to this, shortly will) are/were in control of AU$6 Billion are actually taking to court a guy who highlighted a serious security hole in their website. Basically anyone could gain access to details of any of their 770,000 memebers superannuation details!!
Not only did the company have a basic (It was as simple as changing the account number in the URL - school kid stuff!) security hole, they then try to prosecute the good-citizen who spent hours of his own time trying to ge them to listen. If they had quietly thanked the guy and resolved the issue then it would probably have been all ok - but by trying to prosecute the guy they have probably committed business suicide (unfortunately taking the members, who didnt quickly get out, superannuation funds to the same grave).
I have to admit, I am constantly suprised by the poor understanding many Australian companies, and even some Government agencies, have towards Internet security. In my first week in Australia I found a bug in Vodafone's Australian website which meant I was able to view customer details using the browser back-button attack (IE. Anyone accessing their account in an Internet Cafe would risk the next user being able to back-button to see their details). I reported it to Vodafone and next time I looked they had fixed it; although not a word of thanks! And on a charity website, donators were being asked to give cred-card details over http rather than ssl (sadly, it even had the green light from online payment company eWay - an Australian company!). No-one would listen when I tried pointing out to the charity and to eWay that it was unsafe and open to fraud. Bizarre!
So, full marks to Patrick Webster and RIP to First State Super as they have only themselves to blame...