5

I accidently discovered a misconfiguration (?) security vulnerability: Workstation managing system is publicly exposed with default credentials. admin/admin

The system contains arround 2k workstations with functionality such as software deployment, wiping, remote device control, etc.

I really would like to inform the company, not sure what is the best way to do that?

Is it okay to use for example hackerone or some similar service? Should I just send the email? If so to whom?

I am not sure if by trying that login combination I did not violated any laws? I found the system by a search engine, when was looking for the product demo.

Edit: I researched some topics about disclosing. Basically all of them recommends to contact the vendor in some polite matter. The thing is that everything seems to be ok from the vendor and product side, the user simply did not comply with security best practices by changing the credentials

Edit: I do not believe this is duplicate of: How to disclose a security vulnerability in an ethical fashion?

I think that for the following reasons: It is not related to a bug of a vendor application affecting multiple customers. It is basically a misconfiguration of a system, which allows exposure of underlying system to the public. Everything is ok with the product they are using. Since it was accidental, possibly there might be a different law regulations prohibittng to even accessing their system, depending on which country the system is hosted in. This is simply a moral question, cause in my personal opinion it feels right to notify the affected company, better than letting it slide

user2917823
  • 53
  • 3
  • You should inform them **who** you are rather than what you found – tungsten Aug 28 '19 at 16:20
  • What you mean by that? I am basically just a system administrator, not related to them in any way, not a security researcher or any like that – user2917823 Aug 28 '19 at 16:22
  • You could say them that you are a system admin and found a weakness in their system, it doesn't really matter what you've found as long as it is a vulnerability that could be exploited by whatever entity, this indeed is possible by a polite email for example. – tungsten Aug 28 '19 at 16:29
  • Also make sure the payload(s) itself are encrypted if you send them – tungsten Aug 28 '19 at 16:31
  • Should I use any sort of fake identity or something like that? Cause what worries me, that I never did anything to that system, but of course there would be some access logs and stuff like that – user2917823 Aug 28 '19 at 16:35
  • 2
    ***Absolutely no.*** You should be honest and alert them about the weakness or let it as is, automatically they can see in their logs if it was your intention to harm that system or not. – tungsten Aug 28 '19 at 16:45
  • 1
    Search on-site for a term like "How to report a vulnerability" – tungsten Aug 28 '19 at 16:48

1 Answers1

0

You should contact the respective CERT (computer emergency response team) for your country and let them know about this issue, they will handle all the rest.

Don't contact them directly, for that could get you into serious legal trouble.

Raimonds Liepiņš
  • 992
  • 5
  • 9