LG/Netflix Rebate Site Exposes User Data With AT&T-Esque Hole [Updated]
from the self-hacking? dept
[Update: hole has been closed by ACB's IT team]
The Computer Fraud and Abuse Act is so severely flawed that people are extremely hesitant to report security holes in websites, especially after witnessing what happened to Weev (Andrew Auernheimer), who went to jail for exposing a flaw in AT&T's site that exposed user info when values in the URL were incremented.
The same goes here with this submission from an anonymous Techdirt reader who added this note, along with a link to a post in the Computer Security subreddit.
"I remember a person was recently arrested for finding this same flaw in a website and told (at&t/apple??) about it. He was arrested and jailed if I remember right. This is the type of chilling effects that come when people view techies as hackers and are arrested for pointing out flaws.Is that overdramatic? Doubtful. People have reported security flaws to companies only to have these entities press charges, file lawsuits or otherwise tell them to shut up. Weev's only out because the government's case was brought in the wrong venue. The CFAA, which has been used to punish many helpful people, is still intact and as awful as ever.
The flaw is in:
http://www.acbincentives.com/lgnetflix/claimdetails.asp?txtclaimnum=30345
By changing the number at the end you can harvest personal info.
I won't report the flaw, I could go to jail."
As the (also anonymous) redditor points out, he or she has tried to contact the company but has found no avenue to address this security hole which exposes names, addresses and email addresses of customers sending in claims for a free year of Netflix streaming that came bundled with their purchase of an LG Smart TV. Incrementing the digits at the end of the URL brings up other claims, some with images of receipts attached. In addition, anyone can upload support documents to these claims.
Here's a screenshot of the hole in question:
As the original poster points out, with a little coding, someone could put together a database of addresses that most likely house a brand new LG Smart TV. And this may not just be limited to LG. ACB Incentives is the company behind this promotion, and it handles the same sort of online rebate forms for a variety of companies. These rebate submission sites all branch off acbincentives.com, which could mean it's just a matter of figuring out how each one handles submitted claims, URL-wise.
Now, I've contacted the company to let them know. Amanda Phelps at the Memphis branch says she's bringing it to the attention of programming. I also let her know that it may affect other rebate pages but that I can't confirm that. We'll see how quickly this is closed*, but all in all, the people at ACB seemed to be concerned and helpful, rather than suspcious.
*Very quickly, it appears. See note at top of post.
But the underlying point remains. Many people who discover these flaws aren't criminals and aren't looking to expose the data of thousands of unsuspecting users. They're simply concerned that this is happening and often incredulous that major companies would be this careless with customers' data. That the kneejerk reaction has often been to shoot the messenger definitely gives those discovering these holes second thoughts as to reporting them, a hesitation that could allow someone with more nefarious aims to exploit the exposed data. The law needs to change, and so does the attitude that anyone discovering a flaw must be some sort of evil hacker -- or that the entity must do whatever it takes, even if it means throwing the CFAA at someone, just to prevent a little embarrassment.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, cybersecurity, promotions, rebates, security, security hole, user data
Companies: acb incentives, lg
Reader Comments
Subscribe: RSS
View by: Time | Thread
The smart ones are using it to get rich in criminality or corruption. For those that refuse to get dirty you wither keep quiet or report fully anonymously. Or risk having your life destroyed.
[ link to this | view in chronology ]
Re:
In the end, these problems will come to be found only by criminals (who will take immediate advantage) because discovery by the law abiding citizen is banned.
[ link to this | view in chronology ]
Holy crap, that's quite a few acronyms.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Strange Journey
Now if there could be a rule, a messenger test if you will, such as 'if messenger = true; don't shoot' then we could straighten out a whole bunch of things, like parts of the CFAA, whistleblowing, journalism, etc.
[ link to this | view in chronology ]
This is why I don't report ANYTHING any more
The second problem is reaching someone who understands what you're saying and/or gives a damn.
The third problem is that their response is likely to be denial, denial, denial.
The fourth problem is that their next response is likely to be "call the FBI".
I've observed all kinds of problems -- some pretty small and inconsequential, some maybe not -- but my reaction is never to report them. I just stop doing business with whoever-it-is and quietly move on. I never report them, never exploit them, never do anything but walk away.
Until the CFAA is repealed -- not fixed, it's unfixable -- I'm sure I'm not the only one with exactly this attitude. Which means that we're all much less secure than we could be. Oh well.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Chilling effect
The URL ended in a record ID number, and I have no doubt that simply changing the number would pull up other tenant's information. I didn't test that, even though a proper bug or security issue report should include that test. I've read accounts of people doing exactly that, only to be arrested when they properly reported the bug.
Having pulled up only the initial record and no more, I felt it safe enough to report the issue. And to later report it to the press if it wasn't fixed. But I can't say that I wasn't nervous. I emailed the company and cc'd the tenant.
Fortunately the company emailed me back within minutes. The information was taken down, though it would still appear in Google's cache for a while. And so I didn't contact the press.
Apparently the tenant disagreed, and it made the news anyway.
Details available on request if needed.
[ link to this | view in chronology ]
Re: Chilling effect
So the tenant was worried about their information going public, so they contacted the press about it, ensuring a whole ton of eyes on them and any of their information that might be available.
Brilliant. /s
Morons like that are part of the problem, as if a company knows that they'll be blamed whether they fix a problem or not, it's easier to just hush it up and attack those that try and point out the security holes.
[ link to this | view in chronology ]
Re: Re: Chilling effect
That's another reason why I was hesitant to go to the press.
But on the other hand, who knows how long the information was on-line? I stumbled across it with a search on my address. No doubt the identity theft crowd knows how to search specifically for any SIN#'s or driver's license numbers inadvertently left online.
One has to assume that the cat was already out of the bag.
(Well. Those whose data was exposed have to assume it. But apparently, other than the one I cc'd, they were never informed.)
[ link to this | view in chronology ]
Re: Chilling effect
[ link to this | view in chronology ]
Re: Re: Chilling effect
Here you go:
http://winnipeg.ctvnews.ca/woman-finds-her-private-information-from-rental-application-posted-onl ine-1.1599730
[ link to this | view in chronology ]
Re: Chilling effect
Wait, they're allowing Google to cache this information as well? That's a second bug they should be alerted to.
[ link to this | view in chronology ]
Re: Re: Chilling effect
You can use the robots.txt file on your web site to tell search engine web crawlers which pages and directories should not be publicly accessible. Nothing says that a web crawler has to honor it.
In doing so, you're telling malicious web crawlers where to find the interesting stuff. That includes directories that they might have no other way of knowing about.
I'd be frankly astounded if there isn't a search engine or ten out there that doesn't specialize in or filter for "Disallow" results.
[ link to this | view in chronology ]
Re: Re: Re: Chilling effect
However, there are other measures to stop crawlers outside of robots.txt that are almost completely effective and don't rely on the crawler being well-behaved. If a site deals with sensitive information, it should be taking those measures. If it's not, that's a serious security flaw.
[ link to this | view in chronology ]
[ link to this | view in chronology ]