LG/Netflix Rebate Site Exposes User Data With AT&T-Esque Hole [Updated]

from the self-hacking? dept

[Update: hole has been closed by ACB's IT team]

The Computer Fraud and Abuse Act is so severely flawed that people are extremely hesitant to report security holes in websites, especially after witnessing what happened to Weev (Andrew Auernheimer), who went to jail for exposing a flaw in AT&T's site that exposed user info when values in the URL were incremented.

The same goes here with this submission from an anonymous Techdirt reader who added this note, along with a link to a post in the Computer Security subreddit.

"I remember a person was recently arrested for finding this same flaw in a website and told (at&t/apple??) about it. He was arrested and jailed if I remember right. This is the type of chilling effects that come when people view techies as hackers and are arrested for pointing out flaws.

The flaw is in:

http://www.acbincentives.com/lgnetflix/claimdetails.asp?txtclaimnum=30345

By changing the number at the end you can harvest personal info.

I won't report the flaw, I could go to jail."
Is that overdramatic? Doubtful. People have reported security flaws to companies only to have these entities press charges, file lawsuits or otherwise tell them to shut up. Weev's only out because the government's case was brought in the wrong venue. The CFAA, which has been used to punish many helpful people, is still intact and as awful as ever.

As the (also anonymous) redditor points out, he or she has tried to contact the company but has found no avenue to address this security hole which exposes names, addresses and email addresses of customers sending in claims for a free year of Netflix streaming that came bundled with their purchase of an LG Smart TV. Incrementing the digits at the end of the URL brings up other claims, some with images of receipts attached. In addition, anyone can upload support documents to these claims.

Here's a screenshot of the hole in question:


As the original poster points out, with a little coding, someone could put together a database of addresses that most likely house a brand new LG Smart TV. And this may not just be limited to LG. ACB Incentives is the company behind this promotion, and it handles the same sort of online rebate forms for a variety of companies. These rebate submission sites all branch off acbincentives.com, which could mean it's just a matter of figuring out how each one handles submitted claims, URL-wise.

Now, I've contacted the company to let them know. Amanda Phelps at the Memphis branch says she's bringing it to the attention of programming. I also let her know that it may affect other rebate pages but that I can't confirm that. We'll see how quickly this is closed*, but all in all, the people at ACB seemed to be concerned and helpful, rather than suspcious.

*Very quickly, it appears. See note at top of post.

But the underlying point remains. Many people who discover these flaws aren't criminals and aren't looking to expose the data of thousands of unsuspecting users. They're simply concerned that this is happening and often incredulous that major companies would be this careless with customers' data. That the kneejerk reaction has often been to shoot the messenger definitely gives those discovering these holes second thoughts as to reporting them, a hesitation that could allow someone with more nefarious aims to exploit the exposed data. The law needs to change, and so does the attitude that anyone discovering a flaw must be some sort of evil hacker -- or that the entity must do whatever it takes, even if it means throwing the CFAA at someone, just to prevent a little embarrassment.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, cybersecurity, promotions, rebates, security, security hole, user data
Companies: acb incentives, lg


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 23 Apr 2014 @ 11:47am

    If electronic flaws were the only thing not getting reported due to fear of getting charged and possibly arrested. It's not particular to the US. I've commented before but if you want to avoid legal issues most people will avoid reporting crimes they witness, help victims of car accidents or even crimes, report electronic flaws, expose corporate corruption, expose public corruption.....

    The smart ones are using it to get rich in criminality or corruption. For those that refuse to get dirty you wither keep quiet or report fully anonymously. Or risk having your life destroyed.

    link to this | view in chronology ]

    • icon
      Coyne Tibbets (profile), 23 Apr 2014 @ 7:45pm

      Re:

      This is really similar to that old saw: "When guns are outlawed only criminals will have guns."

      In the end, these problems will come to be found only by criminals (who will take immediate advantage) because discovery by the law abiding citizen is banned.

      link to this | view in chronology ]

  • icon
    Violynne (profile), 23 Apr 2014 @ 12:15pm

    The FBI's using the NSA to track the IP address of the Reddit user so they can allow ACB to abuse the CFAA.

    Holy crap, that's quite a few acronyms.

    link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 23 Apr 2014 @ 12:44pm

    Strange Journey

    I think this was done right. Rather than contact directly, as anonymously as possible you post the exploit and allow a third party to contact the appropriate people. Difficult, I know, but so long as that anonymity holds up, there is no one to charge via the CFAA. Why such a strange journey?

    Now if there could be a rule, a messenger test if you will, such as 'if messenger = true; don't shoot' then we could straighten out a whole bunch of things, like parts of the CFAA, whistleblowing, journalism, etc.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2014 @ 12:53pm

    This is why I don't report ANYTHING any more

    The first problem is communicating. Most sites have their fingers in their ears trying very hard not to listen to anybody. Go ahead, try "security@" a domain of your choice -- your bank for example. Good luck.

    The second problem is reaching someone who understands what you're saying and/or gives a damn.

    The third problem is that their response is likely to be denial, denial, denial.

    The fourth problem is that their next response is likely to be "call the FBI".

    I've observed all kinds of problems -- some pretty small and inconsequential, some maybe not -- but my reaction is never to report them. I just stop doing business with whoever-it-is and quietly move on. I never report them, never exploit them, never do anything but walk away.

    Until the CFAA is repealed -- not fixed, it's unfixable -- I'm sure I'm not the only one with exactly this attitude. Which means that we're all much less secure than we could be. Oh well.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2014 @ 12:59pm

    What is the difference here? That's simple. Apple and AT&T are egotistically evil. This company obviously isn't.

    link to this | view in chronology ]

  • icon
    Roger Strong (profile), 23 Apr 2014 @ 1:34pm

    Chilling effect

    In December I did a Google search on my apartment building address. One of the first links returned was a database entry in text format, from RentCanada.com. It contained a tenant's name, Social Insurance Number, birth date, driver's license, email address and everything else needed for identity theft.

    The URL ended in a record ID number, and I have no doubt that simply changing the number would pull up other tenant's information. I didn't test that, even though a proper bug or security issue report should include that test. I've read accounts of people doing exactly that, only to be arrested when they properly reported the bug.

    Having pulled up only the initial record and no more, I felt it safe enough to report the issue. And to later report it to the press if it wasn't fixed. But I can't say that I wasn't nervous. I emailed the company and cc'd the tenant.

    Fortunately the company emailed me back within minutes. The information was taken down, though it would still appear in Google's cache for a while. And so I didn't contact the press.

    Apparently the tenant disagreed, and it made the news anyway.

    Details available on request if needed.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 23 Apr 2014 @ 1:45pm

      Re: Chilling effect

      Apparently the tenant disagreed, and it made the news anyway.

      So the tenant was worried about their information going public, so they contacted the press about it, ensuring a whole ton of eyes on them and any of their information that might be available.

      Brilliant. /s

      Morons like that are part of the problem, as if a company knows that they'll be blamed whether they fix a problem or not, it's easier to just hush it up and attack those that try and point out the security holes.

      link to this | view in chronology ]

      • icon
        Roger Strong (profile), 23 Apr 2014 @ 2:43pm

        Re: Re: Chilling effect

        So the tenant was worried about their information going public, so they contacted the press about it, ensuring a whole ton of eyes on them and any of their information that might be available.

        That's another reason why I was hesitant to go to the press.

        But on the other hand, who knows how long the information was on-line? I stumbled across it with a search on my address. No doubt the identity theft crowd knows how to search specifically for any SIN#'s or driver's license numbers inadvertently left online.

        One has to assume that the cat was already out of the bag.

        (Well. Those whose data was exposed have to assume it. But apparently, other than the one I cc'd, they were never informed.)

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Apr 2014 @ 2:18pm

      Re: Chilling effect

      If the tenant brought the press into this on their own, I see no harm in posting here links to the press reports that the tenant caused. Presumably the press was smart enough not to reprint the sensitive confidential information...

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Apr 2014 @ 3:30pm

      Re: Chilling effect

      "The information was taken down, though it would still appear in Google's cache for a while."

      Wait, they're allowing Google to cache this information as well? That's a second bug they should be alerted to.

      link to this | view in chronology ]

      • icon
        Roger Strong (profile), 23 Apr 2014 @ 3:55pm

        Re: Re: Chilling effect

        Well, yes and no.

        You can use the robots.txt file on your web site to tell search engine web crawlers which pages and directories should not be publicly accessible. Nothing says that a web crawler has to honor it.

        In doing so, you're telling malicious web crawlers where to find the interesting stuff. That includes directories that they might have no other way of knowing about.

        I'd be frankly astounded if there isn't a search engine or ten out there that doesn't specialize in or filter for "Disallow" results.

        link to this | view in chronology ]

        • icon
          John Fenderson (profile), 24 Apr 2014 @ 8:51am

          Re: Re: Re: Chilling effect

          All true, but I was talking about Google's crawlers, which absolutely do honor robots.txt.

          However, there are other measures to stop crawlers outside of robots.txt that are almost completely effective and don't rely on the crawler being well-behaved. If a site deals with sensitive information, it should be taking those measures. If it's not, that's a serious security flaw.

          link to this | view in chronology ]

  • identicon
    aYAk, 5 Aug 2014 @ 6:46am

    pkXC

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.