The Ethics of Probing Web Applications II

Recently, I blogged about the ethical ramifications of hacking websites by security professionals. They probe the sites, discover vulnerabilities, notify the companies, then blog about their exploits. I haven’t decided yet whether or not I consider this an ethical practice and something security pros should be doing. On one hand, companies should be protecting their customer’s information. And if the site is public, they should have an expectation that it will be poked and prodded. On the other hand, security pros have an ethical responsibility to only test the security of sites they are authorized to test. It’s clear that they aren’t obtaining authizoration for these tests. And that may very well be illegal, to boot.

Today, I ran across this guy (I don’t know his name) who reveals some security problems in Sears’ website. It’s a problem worth discussing. He makes legitimate points on the security of gift cards. It’s something that people really should be aware of.

But does that justify his actions? I’m still on the fence about this one. It sounds like we need a framework to deal with this problem. We need to stay professional and on the right side of the law, while at the same time exposing poor security.

What do you think? I’d be interested in hearing your perspective.

Posted in Ethics, Vulnerabilities Tagged with:
2 comments on “The Ethics of Probing Web Applications II
  1. Alex says:

    I’m “that guy”.

    I do not believe it is an ethical dilemma at all. Ethics implies that something immoral has been done or action taken with a decidedly malicious intent. If the intent is not malicious I do not believe it requires any examination of ethical principles when you set out to test a site. Of course I cannot argue the illegality of it… but why would it suggest immorality or a lack of ethics?

    The question of ethics comes from the disclosure policy you follow. Do you give the site owner enough time to solve the issue and enough information to do so before making any public disclosure of the flaw? I would never disclose something without having the site owner first institute the fix unless I truly believed the disclosure was in the general public’s interest.

    What about the ethics of doing nothing? What if the flaw located significantly compromised public or government services and you, as the researcher, had received no response from the site maintainer? Witness the case of Phillip Clarke last week who discovered holes in the website that permitted email forgeries from the UK National Health Service… should he have kept quiet even after weeks of trying to get them to fix it? Doesn’t he have an ethical responsibility to report the website flaw even if the site owner has not been able to fix it after repeated contact attempts? I would say he does have a duty to report it. And I would say the same about a large public company that does not secure their financial transactions. Doesn’t the public (stockholders and consumers who use the site) deserve to know when their money or credit is being mis-handled by online retailers?

    • mstarks says:

      Hello, Alex. Thanks for your comments and for stopping by.

      To me, the ethical problem is that someone testing the security of a public web application without authorization may be doing something that violates professional standards of conduct. It’s well accepted that one should only test the security of their own networks, or others with proper authorization.

      That being said, more and more applications are moving on-line. Whereas once you would have been able to download an application and test it in pretty much any way you want, now you are accessing a remote computer system. I don’t see how performing SQL injection, brute-forcing card numbers or attempting cross-site scripting is any different than brute-forcing an SSH login. Your testing the security in both scenarios and in some cases getting restricted data that you otherwise would not have been able to retrieve.

      The problem, of course, is that the bad guys, those who won’t tell the vendor about the vulnerabilities, are going to do this anyway. Is it ethical to test the security of a public site and then disclose the vulnerabilities responsibly when the public interest would be served? Is it ethical if it ultimately improves security, even if it is unauthorized? Does it make a difference if it is a public site or a private site? I don’t think there’s one, clear answer to these questions.

      What I do know is that it’s an issue that needs more discussion. If the practice is legitimate at all, then it needs a framework for conduct. As they say, the road to hell was paved with good intentions.

Leave a Reply

Your email address will not be published. Required fields are marked *