Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
J
J
john_samilin2014-11-14 11:14:31
Information Security
john_samilin, 2014-11-14 11:14:31

What should I do when I find a bug in someone else's IP?

Good afternoon,
I registered on the website of some foreign government organization. I tried to recover the password - and the password came to me in a letter in clear text. That is, the password is stored in the database in unencrypted form. This is an obvious gap in terms of information security!
What should I do next? Write to this organization with a request to change the data storage format? Is it such a terrible mess?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
M
mamkaololosha, 2014-11-14
@mamkaololosha

> That is, the password is stored in the database in unencrypted form
. Nobody prevented the server from decrypting the password from md5. So it is impossible to say how they are stored there.

Report
R
Roman Frank, 2014-11-14
@Akellacom

Send them an email and tell them about the problem.

Report
O
Optimus, 2014-11-14
Pyan @marrk2

You don’t know how it is stored in the database until you see the database, maybe it’s encrypted there: they got it, decrypted it and sent it to you in a letter)) But the fact that they send it in clear form in a letter and don’t give a link to recovery is, of course, a little bit unsafe .

Report
A
azShoo, 2014-11-14
@azShoo

Option 1:
Write a letter. Most likely they will ignore, if they do not ignore, then they will not answer. If they do, they won't fix it.
Option 2:
Accept the imperfection of the world.
Alas and ah, millions and millions of services send an email with a password in clear text (although this, in itself, is much less secure than storing it in the database in clear text).
Some even come with the answer to a security question.
Why? The answer is simple: everyone, to put it mildly, is not particularly excited about this fact.
Option 3:
Exploit this vulnerability, obtain data not intended for you, contact Security Council and explain.
There is a high probability of getting lyuli.
I also note that in most cases, storing the password in clear text is not the most serious vulnerability.

Report
C
cssman, 2014-11-14
@cssman

Write a script that exploits this vulnerability. Unload a large database login-password + metadata. Further, the option is either to use it illegally and probably be punished, or to provide it to the Security Council, preferably to higher posts, or directly to go to leadership positions.
If you manage to exploit the vulnerability (which I strongly doubt) and the organization is not stupid, you will make the information security world a little better and (or) earn money, but not a fact.

Report
A
Ainur Shakirov, 2014-11-14
@Fqyeh29

It's not exactly a bug. Sending a password in clear text is not good, of course, but not fatal.
Encrypted data is stored in the database itself, not by a complicated method, but still, and before using it, I just decrypt it) ..
Although I don’t have passwords at all :D

Similar questions
D
Daniel2020-12-21 02:13:53
Can a VK or Google account be hacked with 100% probability? 3Reply
J
Jony13372016-11-12 11:11:04
If you check the id for the presence of letters, can you protect yourself from sql injection? 3Reply
A
Alexander2016-11-13 12:44:51
Is there a danger of traffic interception when working through Frigate or Browsec? 1Reply
S
Site2014-11-17 15:13:46
Outpost Security Suite Pro vs. Outpost Security Suite Free. Are there significant differences? 1Reply
D
di2019-04-13 18:58:07
Is it possible to find out the password knowing the hash and salt? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question