For example, when I was investigating the vulnerability in Nissan's LEAF a couple of years ago, once I found one other vehicle via an exposed VIN then that was it. The key takeaway here is that in terms of vulnerabilities, once you "plus 1" in a URL and pull someone else's record, that's it - you're done. I've embedded a video of that below deep-linked precisely to the point where I talk about the ethics of probing away at direct object reference vulnerabilities and it's worth watching just a few minutes here: Last year I did a talk at the local AusCERT conference titled The Responsibility of Disclosure: Playing nice and staying out of prison. That's something I vehemently disagree with. However, much of the defence I've seen for the guy's actions centred on the premise that if there's no protection on the data (as was the case with Patrick and weev), then it's free game. These cases are very different in intent and assuming we can take the news reports at face value, the charges against him are totally out of line. Now, at this stage you may well say "Yeah, but Patrick and weev knew they were exploiting a security weakness whilst the young Canadian guy simply thought he was accessing material that was intended to be public", to which I would wholeheartedly agree. He was subsequently charged and found guilty of identity fraud and conspiracy to access a computer without authorisation. The previous year, Andrew Auernheimer (AKA "weev") found he could enumerate IDs in AT&T's iPad enrolment API such that he managed to obtain 114k records of other subscribers. The cops subsequently turned up on his doorstep and took his computer things away. In 2011, Patrick Webster identified a weakness in First State Superannuation's web portal which allowed him to access 770k financial records belonging to other customers. Seeing legal action appear as a result of enumerating through URLs is not unprecedented. In fact, it was up there in the OWASP Top 10 until last year (when it was merged into "broken access control") and it's referred to as an insecure direct object reference. He manipulated the URL such that it exposed resources beyond the ones he organically found by browsing the site and that is exploiting a known vulnerability. The counterargument is that this was not simply a case of the guy following links and landing somewhere the site operator didn't intend people to find, this was parameter tampering. Intended or not - that's on the publisher.- Viesturs Kavacs April 18, 2018 If something can be publicly accessed, then it IS public. There was a lot of support for this position: His "crime" was simply to use the technology as it was designed to work. Whether it was intended to be public or not does not change the fact that it was published to a location which exposed it to the world without any requirement for authorisation whatsoever. The crossroads I referred to in that tweet reflects the fact that many of us working in this space are often faced with a decision we've identified that data is accessible in this fashion (we've discovered a URL parameter can be modified to pull another resource), do we proceed with accessing more data or stop there? Everyone will agree with everything I've written so far, let's start getting into the more contentious side of things and we'll start with the view in defence of the young bloke: There are plenty of crossroads many of us face where similar mistakes can easily be made. Allegedly, he didn't realise the data wasn't meant to be public and as I later put it, this was his mistake:Īt face value, this sounds like a pretty innocent mistake. So the crux of the matter seems to be that the guy pulled down a bunch of files by enumerating through file names without realising that the publisher of said files had not intended for them to be public. Oh, and here's how the teen did it: /FQ2qXJoP89- Brett Ruskin April 13, 2018 VIDEO: Nova Scotia's government is accusing a 19-year-old of breaching their government website's security ~ Privacy experts disagree. Let's start with this video as it pretty succinctly explains the issue in consumer-friendly terms: It all had to do with a 19-year-old bloke in Canada downloading some publicly accessible documents which, as it later turned out, shouldn't have been publicly accessible. I saw a story pop up this week which made a bunch of headlines and upon sharing it, also sparked some vigorous debate.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |