4

A few weeks ago I was non-maliciously using a website with server-side calculations when curiosity got the better of me and I decided to mess with some GET request values. I expected the site to give me unrealistic math calculations, but what I didn't expect was to accidentally crash the site for a bit over an hour. At first I thought it was just coincidence, so when it was back up I did it again. This time it went down for over 2 hours.

I felt really bad since I liked the website and didn't intend to cause damage, so I emailed the email address I found from whois explaining the exploit and my non-malicious intentions. The owner, however, has not emailed me back since nor has the owner repaired the exploit. This makes me wonder if he received my email at all and if there is another way to contact him.

What should I do, should I disclose a Denial of Service bug?

Tokamocha
  • 141
  • 3
  • For future reference, what you did is illegal in any country I can think of. – Steve Dodier-Lazaro May 12 '15 at 00:09
  • 3
    possible duplicate of [Reporting vulnerable sites](http://security.stackexchange.com/questions/807/reporting-vulnerable-sites) – Steve Dodier-Lazaro May 12 '15 at 00:12
  • That question helped a bit but it wasn't specific to DoS. Telling everyone about the DoS exploit will be a disaster for the site, so I'm not sure whether it's better to disclose or not. And as you mentioned, it's illegal, so the owner might get angry enough to get me in trouble if he found out I disclosed it. – Tokamocha May 12 '15 at 00:23
  • 2
    I find that for many sites the whois email is not monitored and/or not the person who maintains the site on a regular basis. Is there no other contact information listed on the site itself? – tlng05 May 12 '15 at 00:47
  • @Tokamocha telling anyone about *any* exploit is a disaster. If I can destroy the integrity of a website (and force them to roll a backup) at will, it's also disastrous ;-) – Steve Dodier-Lazaro May 12 '15 at 01:01
  • @user54791 All they have is a "contact us" form which I've already messaged them through and a phone number. I guess my only other option is to find a pay phone and call them about it. If they don't respond in another week, I'll do that before I disclose. – Tokamocha May 12 '15 at 02:14
  • @Tokamocha honestly, if it's a DoS exploit that only works against that website (vs. an exploit in a library that would affect multiple sites) and doesn't threaten user's personal data, I think publicly disclosing it would do more harm than good. –  May 12 '15 at 10:50

0 Answers0