Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A while back, I was playing around with the cable modem / router the ISP gave me because I was curious and an idiot. After screwing around a bit, I managed to find a vulnerability that exposed technician credentials plaintext and they actually worked. Had no idea where to report it though, because the manufacturers contact page could be summed up as fuck you we don't talk directly to consumers. I dont think the vulnerability was that bad, as you had to be logged in to the web interface already with another account, but still.

I don't really trust ISP provided hardware / software now though.



> you had to be logged in to the web interface already with another account

Obviously I don't know specifics, but if this applies to any router which has multiple tiers of login then it could be a pretty serious problem. I suspect that might be true for routers designed specifically broadcast multiple networks (e.g. school or shared apartment-building routers)?


You never know. The same technician credentials could potentially work on many routers from the same ISP, maybe even through WAN.


The right thing to do in such circumstances is to publish the vulnerability.


But how do you publish it without the liability of getting sued? A person like me who don't work in security still occasionally find some vulnerability. Sometimes you get angry emails from the company even if you just try to warn them.


If you think they'd sue, you can always send the details to a tech journalist specialized in such matters (someone with a proven track record of protecting their sources). Use an anonymous email service to be sure.

If something goes wrong, they'll take the thread of legal action and probably win. Companies know that suing journalists often leads to more bad press than cooperating. They can even try to contact the company in question for you if the vulnerability is bad enough.

If the company doesn't respond or get their shit together, journalists will get a scoop and the company is forced to fix their shit. If the company does fix their shit, the journalist will still get a story out of it and you can rest easy that you've helped make the internet just a little bit safer for everyone.


Getting sued for what? Also, you can publish anonymously.

Sitting on exploits forever only helps attackers and gives false sense of security to dumb companies.


Publish the angry emails too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: