This is all fine and dandy but I actually find the approach taken by the professor in the first email to be quite unfriendly and perhaps even unprofessional. The guy from Websmart is actually right, there was no need to immediately contact his customers directly. You let the vendor handle the delicate subject with their customers and then take action directly (with a public disclosure) only if the vendor ignores you.
Rule #1 - Don't be an asshole.<p>You found a vulnerability in lots of sites so you contacted the vendor who was responsible for it. Cool. They replied and said they would fix it.<p>Going around and e-mailing their customers is kinda odd. Sure it may result in you feeling great but in the end the customers probably don't have a clue. Better to be mature about it and contact the vendor (who actually responds!)<p>If they stop responding or tell you to peeter off, then it might be reasonable to do some type of disclosure. But not before you actually give them a chance to respond.
Wow. Just wow. I used to manage client accounts at an agency. Here's how I'm seeing this:<p>- Author sends a condescending, threatening, passive-aggressive, and shaming email to a vendor and its clients.<p>- Vendor respectfully explains that it was an unprofessional thing to do, because their client relationships were put at risk without them having a chance to correct their mistake.<p>- Author completely fails to understand why the vendor would think this, and interprets the email as an effort to "intimidate [him] into silence."<p>To be clear, I'm not excusing the vendor for their shoddy development work. I just think this professor is clueless about effective communication.
My personal advice to all small-business-owners: Don't get into pissing matches!<p>Yeah, I don't like Sam Bowne's approach. His initial email read as someone looking to make a name for himself (this is the biggest security flaw I've ever found! You have 6 days to respond!).<p>Despite this, if I had received an email like this I would have sent back a personal thank you followed with an outline of action steps. If I get another email from Sam asking more questions I'd reply as quickly as possible. Every transaction between him and I would be professional.<p>I'm reminded of a time when someone was convinced I was a hacker. It's a bit of a long story; I was tasked with creating a certification course for 2,000 employees. They all get emails telling them to log in and one guy saw the domain (companyname.columbo-companyname.com) and thought it was a Phishing scam. This employee then pulled up my company, does a WHOIS, called my cell phone a few times* and then promptly sent an email to the CTO (and about 6 other VPs) about a rogue hacker.<p>The whole thing turned into a massive cluster, suddenly I'm getting emails and phone-calls about a hacker in MY site (the CTO assumed I had been hacked and they had been hacked by proxy, nobody knew what was going on).<p>Took a few days to sort out and when they found out where it started the CTO sent me an apology to which I responded "Hey, it's no big deal, it's great you have an employee willing to raise alarm bells like this.".<p>Problem Solved.<p>There's nothing to gain from pissing matches or threats.<p>* I suspect he's the one that called me, got a strange call & text right before all this went down from a number I didn't recognize.
Imagine if the local news outlet did a "consumer watchdog" piece on a contractor going around installing windows or doors in homes and businesses with locks that can be easily opened without a key. Then imagine the contractor acknowledged the issue but threatened to sue the news outlet for hurting their business.
I appreciate that the guy's attitude is just awful, but the author really should have given him a chance to respond/react before contacting his clients. Doing so doesn't preclude notifying them eventually. It's just common courtesy.
It's reasonable to contact the affected sites, as well as Websmart. The sites might be able to fix themselves, depending on their level of technical involvement, and (despite the "Web Site by Websmart Inc." line) it's reasonable for an outsider to simply consider the vendor/contractor/hoster as an internal implementation detail, and the brand-at-risk as the principal.<p>But, the notification didn't need to inform all of them at once in the same message - revealing multiple vulnerable customers to each other, ratcheting up the embarrassment for Websmart before even seeing their initial reply. And the one week deadline before pursuing "more drastic remedies, such as contacting news media" starts things in a confrontational, threatening manner.<p>If the aim was being helpful, a notice to Websmart first, and then to each other site individually, would have highlighted the problem without activating defensive egos. The messages to individual sites wouldn't even have to name Websmart, just an indication that "your vendor or host may be the party best able to fix". (The fact that not all the "…by Websmart" sites have the bug may indicate it's only a certain type or generation of their work that's problematic, or that a fix is relatively easy.)<p>So I see both sides unnecessarily escalating the righteous anger with their communication choices.
Nice one including the XSS injection flaw posted to inj3ct0rs within your own page there. Did your forget to sanitize your <i>own</i> HTML?<p>Secondly, publicly publishing the email addresses of the (innocent) victims, and emailing those clients with To instead of Bcc fields are both really inconsiderate moves.
Is there really a SQL injection vulnerability?<p>Can someone describe the specific vulnerability in more detail? All the example URLs in the article yield an SQL syntax error, which definitely puts the site at high risk for such vulnerabilities. However, on the other hand, I saw no URLs that actually demonstrated successful injection.<p>For it to be an injection vulnerability, the server needs to execute the query (not fail with a syntax error).<p>Does anyone have a working example? Nothing malicious please. I tried several basic techniques and was unsuccessful, due to what appears to be escaping on double and single quote characters.
I'm picking up that Sam may be a little off. Or at least his reading skills are really questionable. The developer clearly stated that he would look into it, which is what you say when you first get word of something serious that needs to be looked into. And he was appreciative, emphatically so, about being informed. And annoyed about his customers being informed as well, but that annoyance is very understandable, even though he may have deserved some annoyance by his apparent lapse in coding rigor.
Surprise, many websites are not secure. Does he go around testing people's door locks to see how vulnerable they are to being picked with a basic lock pick set? Maybe knock on some doors and tell the home owners that their home contractor doesn't take security seriously enough and demonstrate how easily the standard door lock can be picked?<p>I could understand if he was making a business out of this, selling improved security. But this way it just looks like he's out to show people that he knows something they don't know and publicly shame them into some kind of response.
He seems to be confused by the difference between pages and sites - 100,000 pages is not 100,000 sites. And the search in question only finds 274 pages anyway.<p>So this is actually: "handful of sites have a sql injection vulnerability - owners & operators incapable of fixing". Hardly big news.
What an idiot, he could have reacted with gratitude and done his part to convince his customers that he would make the situation right.<p>Instead, he's opened himself up for a flurry of negative attention not only from the public but from the unethical hacking community.
Sam is in dangerous territory here. IANAL, but I think he may be close to being accused of Tortious Interference[1]<p>I noticed this in the initial response of websmart's owner that I've seen before in legal docs.<p><i>"I do not appreciate you taking the liberty of contacting my clients directly [...] you have no right or authority here. You could very well damage my business with this. If that happens you will be hearing from our lawyer."</i><p>This line in Sam's last email is especially dangerous (stating things he doesn't know and something which can be perceived as "soliciting for business"):<p><i>"This is a serious security defect. It is easy to fix, but Websmart has made it clear that they have no intention of fixing it. [...] If you have questions, or would like help fixing your website, feel free to contact me."</i><p>isn't very smart to say the least.<p>[1] <a href="http://en.wikipedia.org/wiki/Tortious_interference" rel="nofollow">http://en.wikipedia.org/wiki/Tortious_interference</a>
Here's the thing, a lot of times people just don't care. I've sent emails to Amtrak, USPS, SallieMae and many others about bugs on their sites. Most of the time I just get canned responses saying they'll look into it or reply with something totally irrelevant. Sure it probably would have been the courteous thing to do by sending the webmaster an email first individually, but if you were the client, wouldn't you want to know about this vulnerability? Wouldn't you want to know your database has been compromised?
There are several dead links and sql injection vulnerabilities on the company's website.<p>I can appreciate that it takes time and tact to deal with all the clients something he is hopefully doing but not even doing some basic work on your own corporate site is hard to understand.<p>There are also exploits in the Frontpage module his web server is running according to online databases.<p>Does this company have its own "cms" system? Is that why the error is so pervasive?<p>From what he says about his business under "About Us" the owner has a solid background of over 10 years in the broadcast industry as a radio personality.<p>My assumption is that he owns the business, and has owned it for a long time. He probably has very rudimentary html skills and can open his tool of choice DreamWeaver on a good day.<p>From what he says I think he outsources pretty much anything more than writing plain html. So he might be trying to deal with one or more contractors that he has hired for different sites. That probably makes it difficult for him to roll out any changes / patches in a timely manner. He is probably trying to get his / one of his contractors do it for free, since he has discovered its broken.<p>I think the appropriate action is for Owen Smart to take a step back. Take a deep breathe. Realize that he is in a shitstorm now since the story hit HN.<p>He needs to reach out to and reassure his clients. He might want some help from a PR
person here to make sure he presents well. Make them see that he is competent and taking action.<p>Hire in a developer with a strong background in security to review the code base(s) for additional problems, and come up with an immediate mitigation plan, and work out a longer term plan to deal with the issues identified.<p>Make sure to follow up with the clients about target dates for fixing their sites.<p>He may also have to add a section on his corporate page, with some help from a PR person,
and give his version of events in the best, least confrontational manner, and again
say that he has the resources and the plan for addressing the issues that have been raised.
Some BS about thanking the people who helped him find the issues. and reassuring future clients that this will no longer pose any problems.<p>Happiness all around.
<a href="http://www.websmartconsulting.com/portfolio.php" rel="nofollow">http://www.websmartconsulting.com/portfolio.php</a><p><pre><code> We are currently working on upgrading our Portfolio of web
sites and special projects. Please check back again soon.
</code></pre>
Does anyone want to use an apostrophe and help him work on this page?
This professor is an ass. I would be livid if someone sent me those emails and created a press release. I think this is definitely grounds for legal action. The professor has severely misinterpreted the situation.
I find Websmart's attempt at trying to put this man out of a job absolutely disgusting. No doubt, Sam Bowne will think twice before reporting vulnerabilities next time. Even though I'm not in any way related to this incident, I've send Sam a thank you note because I think the web community needs more people like him. If you want to do the same, his e-mails are in the link, but for ease of access: sam(dot)bowne <i>at</i> gmail, sbowne <i>at</i> ccsf(dot)edu .