Sometimes there is a very fine line in ethics. I’m not talking about the hackneyed “is it right to steal food for your starving child,” scenario, I’m talking more about ethics in technology. I know that many people will disagree with the statement I’m about to make. “Sometime it is acceptable to be unethical.” Read on to figure out why.

I’m by no means a security expert, or even a novice.  I’m just a nerd with curiosity and some free time.  Which can occasionally be a dangerous combination.  While logging into one of my semi-regular sites tonight I got curious as to how it worked and what it may be doing in the background. Being that the front end of the site was done using flash it wasn’t as easy as doing a right click -> view source.  Instead I had to use the Live HTTP headers plugin for firefox which lets you see all of the traffic coming and going from your browser window.  In this case I was able to intercept the entire request of my submission.  Pretty cool, but what to do with it?

After mucking with this data data for a few minutes I was able to pull out the different fields that were being submitted and make my own submission.  Success!  I could now perform the exact same operation I could before, but without a nice graphical interface.  Sounds like a step backwards doesn’t it?  It’s not.

From here I was able to start my own little attempts of SQL Injection to get the names of the tables and some of the data in them.  I didn’t spend much time trying this as I didn’t want to cross my own mental line of ethics.  I will admit I made a few generic, basic, high level attempts to see how easy it would be.  I managed to break the page that was being called and see the actual SQL calls that were failing.  If I were the malicious type of person there is no telling what I could do.  Although i don’t believe this site holds any particularly sensitive information it’s still not data I own or should have access to, so i stopped.  My work was done.

It reminds me of a time a few years back when i came across an interesting and fun little site called CentSports. (A fun site for anyone looking for a free, legal way to do a little gambling.  – yes I said free) The site was in its infancy and I started trying some of the exact same things I mentioned above.  At that time I was much more successful in a much shorter amount of time.  I was able to get a handle to their users database and all of the data in it.  I immediately contacted the owners of the site and told them my findings.  They appreciated my honesty in pointing out the flaw in their system.  For the next few weeks I helped them intermittently by testing new functionality and eventually became a person that gave input into new functionality, and even a moderator on the site assisting other users.

The page I found more recently is not a startup like centsports was.  It is a well established company/brand that really shouldn’t have such flaws.  Thankfully, I’m doubting they have any personal or sensitive data that could be accessed other than a name and email address.  (I’m hoping the passwords are not stored as plain text.) Though the concept of the site is a game where people can earn prizes, so there is a matter of integrity.

I’ve contacted the site owners to let the know what I’ve found.  I’m not sure it will be much of a concern to them overall, but I feel that it’s my responsibility to point it out before something happens.  Maybe the developers don’t realize that this weakness exists and will continue their career implementing code with such exploits available.  Maybe they know that this is there but figure that since the site contains trivial data that it isn’t worth fixing, even though prizes are on the line.  Or perhaps they will think my findings are insightful and worthy of a reward like shares of the company or something even better.  And trust me, with this organization I can think of a lot of things I’d like to have from them.

So, was I unethical?  Did I cross any line?  At what point does the line get crossed?

If I hear anything back I’ll be sure to post a followup.

[ad] Empty ad slot (#2)!