LG/Netflix Rebate Site Exposes User Data With AT&T-Esque Hole [Updated]
from the self-hacking? dept
[Update: hole has been closed by ACB’s IT team]
The Computer Fraud and Abuse Act is so severely flawed that people are extremely hesitant to report security holes in websites, especially after witnessing what happened to Weev (Andrew Auernheimer), who went to jail for exposing a flaw in AT&T’s site that exposed user info when values in the URL were incremented.
The same goes here with this submission from an anonymous Techdirt reader who added this note, along with a link to a post in the Computer Security subreddit.
“I remember a person was recently arrested for finding this same flaw in a website and told (at&t/apple??) about it. He was arrested and jailed if I remember right. This is the type of chilling effects that come when people view techies as hackers and are arrested for pointing out flaws.
The flaw is in:
http://www.acbincentives.com/lgnetflix/claimdetails.asp?txtclaimnum=30345
By changing the number at the end you can harvest personal info.
I won’t report the flaw, I could go to jail.”
Is that overdramatic? Doubtful. People have reported security flaws to companies only to have these entities press charges, file lawsuits or otherwise tell them to shut up. Weev’s only out because the government’s case was brought in the wrong venue. The CFAA, which has been used to punish many helpful people, is still intact and as awful as ever.
As the (also anonymous) redditor points out, he or she has tried to contact the company but has found no avenue to address this security hole which exposes names, addresses and email addresses of customers sending in claims for a free year of Netflix streaming that came bundled with their purchase of an LG Smart TV. Incrementing the digits at the end of the URL brings up other claims, some with images of receipts attached. In addition, anyone can upload support documents to these claims.
Here’s a screenshot of the hole in question:
As the original poster points out, with a little coding, someone could put together a database of addresses that most likely house a brand new LG Smart TV. And this may not just be limited to LG. ACB Incentives is the company behind this promotion, and it handles the same sort of online rebate forms for a variety of companies. These rebate submission sites all branch off acbincentives.com, which could mean it’s just a matter of figuring out how each one handles submitted claims, URL-wise.
Now, I’ve contacted the company to let them know. Amanda Phelps at the Memphis branch says she’s bringing it to the attention of programming. I also let her know that it may affect other rebate pages but that I can’t confirm that. We’ll see how quickly this is closed*, but all in all, the people at ACB seemed to be concerned and helpful, rather than suspcious.
*Very quickly, it appears. See note at top of post.
But the underlying point remains. Many people who discover these flaws aren’t criminals and aren’t looking to expose the data of thousands of unsuspecting users. They’re simply concerned that this is happening and often incredulous that major companies would be this careless with customers’ data. That the kneejerk reaction has often been to shoot the messenger definitely gives those discovering these holes second thoughts as to reporting them, a hesitation that could allow someone with more nefarious aims to exploit the exposed data. The law needs to change, and so does the attitude that anyone discovering a flaw must be some sort of evil hacker — or that the entity must do whatever it takes, even if it means throwing the CFAA at someone, just to prevent a little embarrassment.
Filed Under: cfaa, cybersecurity, promotions, rebates, security, security hole, user data
Companies: acb incentives, lg
Comments on “LG/Netflix Rebate Site Exposes User Data With AT&T-Esque Hole [Updated]”
If electronic flaws were the only thing not getting reported due to fear of getting charged and possibly arrested. It’s not particular to the US. I’ve commented before but if you want to avoid legal issues most people will avoid reporting crimes they witness, help victims of car accidents or even crimes, report electronic flaws, expose corporate corruption, expose public corruption…..
The smart ones are using it to get rich in criminality or corruption. For those that refuse to get dirty you wither keep quiet or report fully anonymously. Or risk having your life destroyed.
Re: Re:
This is really similar to that old saw: “When guns are outlawed only criminals will have guns.”
In the end, these problems will come to be found only by criminals (who will take immediate advantage) because discovery by the law abiding citizen is banned.
The FBI’s using the NSA to track the IP address of the Reddit user so they can allow ACB to abuse the CFAA.
Holy crap, that’s quite a few acronyms.
Re: Re:
While holding an ama.
Strange Journey
I think this was done right. Rather than contact directly, as anonymously as possible you post the exploit and allow a third party to contact the appropriate people. Difficult, I know, but so long as that anonymity holds up, there is no one to charge via the CFAA. Why such a strange journey?
Now if there could be a rule, a messenger test if you will, such as ‘if messenger = true; don’t shoot’ then we could straighten out a whole bunch of things, like parts of the CFAA, whistleblowing, journalism, etc.
This is why I don't report ANYTHING any more
The first problem is communicating. Most sites have their fingers in their ears trying very hard not to listen to anybody. Go ahead, try “security@” a domain of your choice — your bank for example. Good luck.
The second problem is reaching someone who understands what you’re saying and/or gives a damn.
The third problem is that their response is likely to be denial, denial, denial.
The fourth problem is that their next response is likely to be “call the FBI”.
I’ve observed all kinds of problems — some pretty small and inconsequential, some maybe not — but my reaction is never to report them. I just stop doing business with whoever-it-is and quietly move on. I never report them, never exploit them, never do anything but walk away.
Until the CFAA is repealed — not fixed, it’s unfixable — I’m sure I’m not the only one with exactly this attitude. Which means that we’re all much less secure than we could be. Oh well.
What is the difference here? That’s simple. Apple and AT&T are egotistically evil. This company obviously isn’t.
Chilling effect
In December I did a Google search on my apartment building address. One of the first links returned was a database entry in text format, from RentCanada.com. It contained a tenant’s name, Social Insurance Number, birth date, driver’s license, email address and everything else needed for identity theft.
The URL ended in a record ID number, and I have no doubt that simply changing the number would pull up other tenant’s information. I didn’t test that, even though a proper bug or security issue report should include that test. I’ve read accounts of people doing exactly that, only to be arrested when they properly reported the bug.
Having pulled up only the initial record and no more, I felt it safe enough to report the issue. And to later report it to the press if it wasn’t fixed. But I can’t say that I wasn’t nervous. I emailed the company and cc’d the tenant.
Fortunately the company emailed me back within minutes. The information was taken down, though it would still appear in Google’s cache for a while. And so I didn’t contact the press.
Apparently the tenant disagreed, and it made the news anyway.
Details available on request if needed.
Re: Chilling effect
Apparently the tenant disagreed, and it made the news anyway.
So the tenant was worried about their information going public, so they contacted the press about it, ensuring a whole ton of eyes on them and any of their information that might be available.
Brilliant. /s
Morons like that are part of the problem, as if a company knows that they’ll be blamed whether they fix a problem or not, it’s easier to just hush it up and attack those that try and point out the security holes.
Re: Re: Chilling effect
So the tenant was worried about their information going public, so they contacted the press about it, ensuring a whole ton of eyes on them and any of their information that might be available.
That’s another reason why I was hesitant to go to the press.
But on the other hand, who knows how long the information was on-line? I stumbled across it with a search on my address. No doubt the identity theft crowd knows how to search specifically for any SIN#’s or driver’s license numbers inadvertently left online.
One has to assume that the cat was already out of the bag.
(Well. Those whose data was exposed have to assume it. But apparently, other than the one I cc’d, they were never informed.)
Re: Chilling effect
If the tenant brought the press into this on their own, I see no harm in posting here links to the press reports that the tenant caused. Presumably the press was smart enough not to reprint the sensitive confidential information…
Re: Re: Chilling effect
If the tenant brought the press into this on their own, I see no harm in posting here links to the press reports that the tenant caused.
Here you go:
http://winnipeg.ctvnews.ca/woman-finds-her-private-information-from-rental-application-posted-online-1.1599730
Re: Chilling effect
“The information was taken down, though it would still appear in Google’s cache for a while.”
Wait, they’re allowing Google to cache this information as well? That’s a second bug they should be alerted to.
Re: Re: Chilling effect
Well, yes and no.
You can use the robots.txt file on your web site to tell search engine web crawlers which pages and directories should not be publicly accessible. Nothing says that a web crawler has to honor it.
In doing so, you’re telling malicious web crawlers where to find the interesting stuff. That includes directories that they might have no other way of knowing about.
I’d be frankly astounded if there isn’t a search engine or ten out there that doesn’t specialize in or filter for “Disallow” results.
Re: Re: Re: Chilling effect
All true, but I was talking about Google’s crawlers, which absolutely do honor robots.txt.
However, there are other measures to stop crawlers outside of robots.txt that are almost completely effective and don’t rely on the crawler being well-behaved. If a site deals with sensitive information, it should be taking those measures. If it’s not, that’s a serious security flaw.
pkXC