Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
I've found things like this before, but usually just leave it and don't bother telling them for risk of a knock on the door. Where is the legal line?
Jifuna38093yI dont know if its a good advice but when I found a security issue in a website I sent them a anoymonous email telling what the problem was. They thanked me and fixed the problem.
Create a table and tell them by inserting a couple of records explaining the situation.
Just remember to use a VPN for in case.
joas20433yDepends on what kind and size of company you are talking about. If you think they have resources to handle it professionally. I'd suggest you reaching out to them.
If you talk to a wrong person, they might probably start just screaming: HAAAAX!
jeeper52573yFind out if they have a bug bounty.
They may have something like that and those are usually safe.
If they don’t and you care create a tutanota email anonymously and sent their support s message about it
Tell them anonymously so they can't trace it back to you.
SZenC8683yAlso have a look into the legal advice and help hacker one might be able to offer
Finnim603yJust a question from a noob:
How would you accomplish user authentication in a secure manner?
Should code never store any credentials?
It's a hard question, because if you actually do something in the tables as suggested above, they might get it the wrong way and report you, because you abused it, instead of telling them - and since its a vb6 program, I really am sure they arent anything remotely big, but rather run by some small old company, where the owners only can imagine you as a black hoodied criminal and the email some sort of threat.
So probably an anonymous email would be the best try (though, how would you get an answer from them, if you dont actually create a burner account while using tor/vpn and check it from there only too) - but will most likely be ignored, because the original programmer, that could fix it, moved on or is too expensive for them to hire again for just """"a small security threat"""".
Make a public YouTube video explaining how you did the hack and what you found. Wear a Guy Fawkes mask.
Offer your services as an IT security consultant. You already know the vulnerability, so it will be an easy job telling them that you "found a problem" as well as advising them how to fix it and proffit from your awesome skills.
Brolls33253yAny public exposure or tampering with the system to make them aware would be wholly illegal.
If their terms of service state decompilation violates that then just telling them about it can get you into hot water.
I’d probably just leave it be, chuckle to yourself about the mess they’ve made for themselves and move on.
If you *really* feel like you need to do something, then tell them via an anonymous email, or contact them and hint that you’ve found a security exploit and wish to declare it.
Get confirmation from them (in writing) that they won’t pursue legal action after disclosure though, and for the love of god don’t tell them you logged into the server.