Nowadays in Mauritius, the local scene seems to be flooded by a lot of vulnerabilities announcements and bug findings that are reported in public.
Most probably those are reported with the idea that in doing so one can ensure the safety of our systems, or systems that we interact with, but this tendency tends to raise some quite interesting questions which specially people who do not have a true formation for the industry do not tend to know of, this thread is mainly to talk a bit about this.
What is a vulnerability of a bug, and what are its potential?
A vulnerability is a flaw in a system that can be used for malicious intent, for example, a vulnerability in a bank might be someone can access other people’s account when logically and legally he doesn’t have access to it, but nevertheless with the help of a bug in the system is able to do so. The potential related to this is pretty high, as if this gets in the wrong hand, harm can be done.
What do you mean by harm can be done?
One might argue that the idea that a vulnerability already exists is already detrimental, BUT, there’s an issue, if the vulnerability is known, and is silently fixed as soon as possible AND THEN later reported that there was a vulnerability and it has been fixed, nevertheless, please check your accounts (taking the bank example) and verify that all is in place is a much safer approach.
Analogy: Assume your door at home has an issue with its handle and moving the handle in one certain way can force open your front door, this might allow anyone to access it, this is a flaw in the handle, and hence is a vulnerability to your home, but the risks and danger associated to this faulty handle can be greatly mitigated when you find someone to fix it as SOON as possible, but if instead you start shouting on the streets “Hey my door handle has some issue anyone can get in when am not here”, you may end up having some unwanted visits :).
So what are the normal procedures when a vulnerability is discoverred?
Normally, a true whitehat hacker will proceed as such:
- The whitehat hacker will send a report on the vulnerability he discovered to the concerned person/company/society/organization, usually this part there can be some business done here with some, ‘hey i discovered a flaw in your system, usually i charge this much for flaw discovery, but we can discuss about this’.
- The organization/society/company/person will get back to the whitehat hacker and thanks him for reporting this, if there was some form of financial rewards attached, the whitehat hacker may be rewarded upon showing the vulnerability and its risks. Usually in the package of given the whitehat hacker may also be asked to fix the problem for some minimal fee in the fastest possible way. Again, this can be free, it depends on your discussion.
- When all is fixed and tested, all concerned parties of the system needs to be informed that there was some issue and its potential risks, and each and everyone should validate on their end if all is fine, though this usually is at the discretion of the person/company/society/organization that holds the vulnerable app/website/system.
So the above are the normal procedures, what about posting things online?
All of these are great, but if the party who is responsible for the vulnerable system is not responding over a reasonable amount of time, and the white hat hacker has resorted to all forms of communications that is possible to contact the responsible party, then he usually has two choices:
- He can just ignore it, or just keep this in his library of discovered vulnerabilities as a sort of trophy.
- He posts it online and make everyone in the public aware of it, in the hope that all concerned parties knows about it, this is an absolute last resort, and this will ALSO give people with malicious intentions an idea that something is wrong and they can screw up the system. Hoping that this will force the party related to fix their stuffs.
So what about people who First publish vulnerability/flaws details right on the web for everybody to see?
These people do not actually understand the risk associated with what they are doing, they are naive and or are malicious or are doing it with purely malicious intentions or simple they are MEDIA WHORES!
Why do I say so?
Do you understand the implication that say someone found a flaw/vulnerability in a hospital records system or a bank system, and he posts the vulnerability on the internet for everyone to see, do you believe among all the humans are live side by side to you there is no one who will want to use that vulnerability to have a quick peek at those information?
Do you believe that there won’t be people who will do it with malicious intentions?
If you replied the last two questions with a No, then my friend you are very naive, people will steal your information and will know your bank details in such cases and sincerely, I can’t help you with that.
This is where ethics comes into play, for a computer scientist and or hacker, this is where the border line of white hat and blackhat hacker comes in. You are taught ethics since the early beginnings in this field, you need to learn to respect code of conducts and ethics related to the field, otherwise, Posting a vulnerability for everyone to see without giving the authorities/persons concerned ample time to fix it is simply condemning them to be victims of random attacks from random readers of such vulnerabilities. Which is why this is my suggestion to a lot of those wannabe hackers who really do not seem to know anything about everything and just posts the latest thing they found accidentally or via some minimal lookup to please, send it all via the official channel first, give the victim enough time to patch their systems, then do your announcement if needs be.
However simplistic your finds are, it could have not been seen by someone who could do a lot more damage if he saw that, so please do not post a banner saying “please come and steal this guy, his front door is broken”
That is where also the difference between a “boy” and a working professional ‘hacker’ is drawn.