Where’s responsible security reporting?

While I totally agree that once a company fails to respond to a security problem reported privately the problem should be reported publically, it’s horrible when that report greatly compounds the problem. That hapenned recently with ThinkTank‘s disclosure of PayMaxx‘s major security problem.

PayMaxx developers unfortunately did a stupid thing–they didn’t check that a person viewing a W-2 or other payroll related record is accessing the record they are allowed to; they only check if the user is logged in. That certainly is a major problem and unfortunately is too common (I’ve found this problem myself in e-commerce sites I used and reported it to the site owners–who both fixed the problem within 24 hours in the instances where I found it).

The ThinkTank report went much further than disclosing the nature of the problem and reported specific login information for a test account which allowed anyone to log-in and exploit the problem. Before this, only customers could exploit the problem. After ThinkTank’s disclosure, anyone can exploit the problem. They made the problem significantly worse.

Shame on you ThinkTank. If you agree, tell them.

This entry was posted in Uncategorized by Sam. Bookmark the permalink.

2 thoughts on “Where’s responsible security reporting?

  1. Hello my family member! I want to say that this aarticle is amazing, nice written and include
    almost all significant infos. I would like to peer mor posts like tis .

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>