56

Decompiled a .exe from a program that was written in Visual Basic 6.

Got a public server IP, username and Password that was hardcoded in the program.

Found out it was a SQL Server. I've now got full access to the server.

I want to tell the company about this, but I'm afraid I might get sued. Any advice?

Comments
  • 3
    I've found things like this before, but usually just leave it and don't bother telling them for risk of a knock on the door. Where is the legal line?
  • 5
    I dont know if its a good advice but when I found a security issue in a website I sent them a anoymonous email telling what the problem was. They thanked me and fixed the problem.
  • 10
    Create a table and tell them by inserting a couple of records explaining the situation.
    Just remember to use a VPN for in case.
  • 20
    Depends on what kind and size of company you are talking about. If you think they have resources to handle it professionally. I'd suggest you reaching out to them.
    If you talk to a wrong person, they might probably start just screaming: HAAAAX!
  • 2
    Find out if they have a bug bounty.

    They may have something like that and those are usually safe.

    If they don’t and you care create a tutanota email anonymously and sent their support s message about it
  • 2
    Tell them anonymously so they can't trace it back to you.
  • 0
    Also have a look into the legal advice and help hacker one might be able to offer
  • 2
    Just a question from a noob:
    How would you accomplish user authentication in a secure manner?
    Tokens?
    Should code never store any credentials?
    Thank you!
  • 1
    It's a hard question, because if you actually do something in the tables as suggested above, they might get it the wrong way and report you, because you abused it, instead of telling them - and since its a vb6 program, I really am sure they arent anything remotely big, but rather run by some small old company, where the owners only can imagine you as a black hoodied criminal and the email some sort of threat.

    So probably an anonymous email would be the best try (though, how would you get an answer from them, if you dont actually create a burner account while using tor/vpn and check it from there only too) - but will most likely be ignored, because the original programmer, that could fix it, moved on or is too expensive for them to hire again for just """"a small security threat"""".
  • 4
    Make a public YouTube video explaining how you did the hack and what you found. Wear a Guy Fawkes mask.
  • 6
    Offer your services as an IT security consultant. You already know the vulnerability, so it will be an easy job telling them that you "found a problem" as well as advising them how to fix it and proffit from your awesome skills.
  • 2
    Any public exposure or tampering with the system to make them aware would be wholly illegal.

    If their terms of service state decompilation violates that then just telling them about it can get you into hot water.

    I’d probably just leave it be, chuckle to yourself about the mess they’ve made for themselves and move on.

    If you *really* feel like you need to do something, then tell them via an anonymous email, or contact them and hint that you’ve found a security exploit and wish to declare it.

    Get confirmation from them (in writing) that they won’t pursue legal action after disclosure though, and for the love of god don’t tell them you logged into the server.
Add Comment