3 years ago I did a security audit for a large ecommerce website. When the audit was preformed I found several severe security issues that allow for access to data that should not be accessible after a transaction is completed. On this site there are several major risks. First you can see orders coming through the system real time; all transactions are processed manually by this company. If you view a transaction you can see name, address and shipping destination. I see 2 abuse points here, 1 – you can simply edit the ship to address and have the shipment sent to yourself, and 2 – you can call the user right as the order was placed and do a “phone conformation” to gain access simply to the cc info with basic social engineering.
You can also with a little more work dump the cc info and order id numbers and then simply match up the order id and user info. This is all by using exposed functions on their site and modifying a couple values. Yes im being vague for a reason.
The marketing director at this company was warned about these risks 3 years ago and has done nothing to correct them. I don’t doubt if I can find this others can. This site does 88K transactions per year and has all orders ever processed still in data and accessible.
So the ethical question… what do I do? My company doesn’t care… so I can’t get help there. If I contact the marketing guy he will just continue to cover his ass and the asses of there incompetent internal development team (cold fusion). Do I contact someone higher up? Do I go around my company? Do I just mine the data and sell it to a competitor minus the cc info? What do I do knowing this? Its nagging at me and I can't let it go. This is only one of many sites I know of, but the ease of access and high traffic makes me ponder a lot on this.
Principle I, Rule P: Individuals shall protect the confidentiality of any professional or personal information about persons served professionally or participants involved in research and scholarly activities and may disclose confidential information only when doing so is necessary to protect the welfare of the person ...
The ethical duty of confidentiality includes obligations to protect information from unauthorized access, use, disclosure, modification, loss or theft. Fulfilling the ethical duty of confidentiality is essential to the trust relationship between researcher and participant, and to the integrity of the research project.
Data privacy (or information privacy or data protection) is about access, use and collection of data, and the data subject's legal right to the data. This refers to: Freedom from unauthorized access to private data. Inappropriate use of data.
While some use the term more broadly to refer to any kind of uninvited interference with someone's personal life, privacy in the strict sense means shielding one's personal life from unwanted scrutiny.
From the regular customer point of view, I think the degree of customer care in this company should go public. They really don't care about any holes that might disclose customers private data. So, they must really be punished. But revealing the holes will damage not only them, but their customers.
If you were paid for security audit, you have an ethical right neither to publish information about something you found nor use it in any way. Who will trust security expert revealing what he has found even years after? I think there is nothing you can do.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With