How to handle security issues of someone else's website


For legal advice you need to seek a lawyer. In some countries it is already illegal to do a "test" login with an account that does not belong to you.

What I would do?

If the IT-department does not answer and does not fix the issue, you should try to reach other people at the company, especially upper management, public relation, customer relation, high level support.

Contact the CERT that is responsible for you or that company. They have lots of experience in getting attention from the right people. So in this case the US CERT.

The moderators of the Bugtraq mailing list have been helpful, too.

Other ideas

Paper mail may get you more attention easier than electronic mail, especially if it is a paper mail with delivery confirmation.

You can try to reach them by phone. This is probably the most efficient way, but be careful that they cannot claim later that you tried to blackmail them.

You can tell them that you will try to reach them via public media on the xxxx-xx-xx (2 weeks from now) as the last resort if you cannot get through to them. But again, make it very clear that you just want a confirmation that your report has been received.

You can reach out for the media right away, perhaps agreeing with them in advance that they will contact that company before publishing the story.

You surely should not abuse the admin account to change any content on their website, including making a blog post.

If you go public yourself as blog post on your side, on your user page on that wiki, I'd do that in the form of an open letter: A short introduction saying that all your tries to reach the company have failed so far, therefore you are publishing this letter in the hope that it will finally be noticed by that company. Perhaps add that you have decided to go public because you feel ethically pressured to warn people who's personal data is at risk. And then the original email. It may be a good idea to redact the details (e. g. the password and the name of the wiki page if it's still in the history).

In this case, I would be tempted to invoke Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity. They're probably not evil, they may just have that admin account going to an external web designer / employee who has left the company / some other un-monitored email account.

My suggestions would be:

  • Call them on the phone, and try to reach someone in management, and tell them in plain simple language what the problem is.

  • Over here in Scandinavia, we have a public register of companies and foundations etc. This register be accessed online, and the addresses of the members of the Board of Directors can be found. If you can do the same, then call them, or send them a letter (paper mail) explaining the issue, and that you have twice tried just reaching the webmaster. This should certainly get their attention.

Regardless of what your personal feelings are, I don't think a public humiliation is the right answer. It's not that I mind shaming them for their acts; it's more that:

  • A public display might invite bad people to compromise their systems further before these guys get their security cleaned up.
  • The site owner might be tempted to aggressively blame you, in order to deflect attention away from their own mistakes (here's one example of that.).