24

Recently started at a new job. Things were going fine, getting along with everyone, everything seems good and running smoothly, a few odd things here and there but for the most part fine.

Then I decided to take a look at our (public facing) website... What's this? Outdated plugins from 2013? Okay, that's an easy fix I guess? All of these are free and the way we're using them wouldn't require a lot of refactoring...

Apparently not. Apparently, we can't even update them ourselves, we have to request that an external company does it (which we pay, by the way, SHITELOADS of money to). A week goes past, and we finally get a response.

No, we won't update it, you'll have to pay for it. Doesn't matter that there's a CVE list a bloody mile long and straight up no input validation in several areas, doesn't matter that tens of thousands of users are at risk, pay us or it stays broken. Boggles the fuckin' mind.

I dug into it a bit more than I probably should have (didn't break no laws though I'm not a complete dumbass, I just work for em) and it turns out it's not just us getting fucked over, it's literally EVERYONE using their service which is the vast majority of people within the industry in my country. It also turns out that the entirety of our region is running off a single bloody IP which if you do a quick search on shodan for, you guessed it, also has a CVE list pop up a fuckin' mile long. Don't get me started on password security (there is none). I hate this, there's fucking nothing I can do and everyone else is just fine sitting on their hands because "nobody would target us because we're not a bank!!", as if it bloody matters and as if peoples names, addresses, phone numbers and assuming someone got into our actual database, which wouldn't be a fuckin' stretch of the imagination let me tell you, far more personal details, that these aren't enticing to anyone.

What would you do in my situation?
What can I even do?
I don't want to piss anyone senior off but honestly, I'm thinkin' they might deserve it. I mean yeah there's nothing we can do but at least make a fuss 'cause they ain't gunna listen to my green ass.

Comments
  • 8
    Write up your findings, put it into an email, and send it to your senior and management, not much more you can do if they won’t take the fight.
  • 1
    @C0D4

    Already done this in parts. Might write up a complete thing with all my "findings" in one and send it to my boss and his boss. I'm 100% sure there's a lot more wrong, I don't have a security background and the "tests" I ran were incredibly basic shite that any 12 year old would notice - speaking from experience. I shudder to think what someone more experienced would find.

    It's just irritating because from what I've seen, people have known about these issues for bloody years and done nothing, and if one of us goes down, well, it looks like we all bloody sink with em. This crap also costs tens of thousands of dollars yearly, so there's that too.
  • 0
    @M1sf3t

    Sadly it'd take years and the industry isn't exactly a growing one that investors would be into.
  • 1
    I would just check if I would take hit in case something goes wrong here. If not, then do nothing. Most likely it will be that third party that would be blamed and you are OK doing nothing (assuming your conscience can take it).

    If you try to bring this issue up it might actually blow up in your face, since you are basically saying or perceived by some as so: "My senior colleagues, possibly management up to CEO are neglecting their responsibilities and are dumb fucks. Please complement me for this finding.".
  • 0
    @arraysstartat1

    Fair point, hadn't really thought of it like this, it just irks me that potentially hundreds of thousands, up to potentially millions if this applies to other regions, of people could have their information leaked and the response is that I can't do anything about it despite the main issue just being out of date, free, software. I guess I'll join their ranks and be a profession and wait for it to blow up, at least I warned em, kind of need my job and don't want this falling back on me.
  • 2
    This is a "CYA" (cover your behind) type scenario.

    Send an unambiguous, firmly worded email to your boss, and your boss' boss if applicable. Share your findings, make it clear that fixing this issue needs to be a priority to stop customer data being stolen, and if you're able, suggest alternatives to stop this sort of thing happening in the future.

    Bcc your personal email address in as well.

    Then see what happens. If they follow up, great, if not, then you've done all you can - and if it ever hits the fan, you've got proof you tried to warn them and they didn't listen.
  • 0
    Send your findings to regulatory authorities from your CEOs email :)
  • 0
    Wow! That's a whole new level of blackmailing your customers...
    Aren't there any competitors your company can switch to?
  • 1
    Report all the exploits you find to the relevant parties. Give them a deadline to fix it. If they don't, publish your findings. They'll fix it once you've embarrassed them publicly.
  • 0
    One question, is this a service wich anyone can buy? Or was it a contract work to do the site?

    If the second one is the case: Normally you pay for service contracts which contain things like updates due to vulnerabilities. If your company does not have such a contract, good luck to get this fixed without to pay...
Add Comment