Teenager reported to police after reporting vulnerability in government website

Joshua Rogers, a 16-year-old from Victoria, managed to find a security hole that allowed him to access a database with more than 600,000 records about users who made purchases through the Metlink web site run by the Transport Department.

The site only contained information on public transport timetables but the database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne.

Rogers contacted the site but after two weeks he had still not received a response so he reported the problem to The Age. When the newspaper contacted the department of transportation the site reported Rogers to the authorities.

"It’s truly disappointing that a government agency has developed a website which has these sorts of flaws," said Phil Kernick, of cyber security consultancy CQR, "So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there."

Security researchers often find themselves in a predicament: do they report a vulnerability and risk being arrested when they're trying to help or do they simply move on and wait until massive disasters strike. While many companies and organizations realize the need to stress test their security systems, some have yet to understand the how to properly handle such reports. This story proves that some are prone to overreacting.

Rogers has since confirmed to Wired that the vulnerability he found was a SQL-injection vulnerability. Police have not yet been in touch with Rogers and he confirms that he only learned he’d been reported to the police from the journalist who wrote the story for The Age.

Source: Wired | Image via Wired

Report a problem with article
Previous Story

Google meets with FDA, likely looking at wearable sensors and contact lenses

Next Story

Windows 9 'Threshold' reportedly coming in April 2015

46 Comments

Commenting is disabled on this article.

That's out of order. Any decent company would actually give this kid a job as he's done something with his govrnment can't do.

Josh lad, what have you done? No in all seriousness Josh is a decent guy and this is completely ridiculous. His intentions were good and the right things were done on his end.
Really the police (or other government department) should be looking at who maintains this database and have words with them. It really should be against the law to hold certain details in plain unencrypted format. Hopefully this will be implemented by governments soon...

Being devils advocate... as of course the primary concern here is data protection.. and if someone has found a serious breach, then of course, it should be brought to the company's attention.. and if they chose to ignore it, then it should be made more public.. but...

Perhaps those looking for vulnerabilities in systems, should first notify or even ask permission to do so... It would be like someone trying to break into your house, and when getting caught, saying, I was simply checking your security to see if anyone could get in!

there are several issue here:
- the fact that he found an exploit in a government site through a not hard to fix measure;
- if he could known what were the contents then it means that those weren't encrypted, which is very worrisome.
- instead of dealing the the issue in a professional manner, he was reported to the police, potentially sending the wrong message to any white hat hacker: sell that info because if you warn them you will get screwed.

those three are very bad for cybersecurity landscape and like it was said here, the responsible for securing that site should be held accountable: personal data unencrypted in a database is very 90's stuff.

The guy found an exploit, I don't care how. He first alerted the government agency, after no reply was forthcoming he sent the details to a newspaper. Thanks kid, seems the grownups forgot what gratitude is.

techbeck said,
Regardless his intentions... He still broke the law.

George Chapman in 1654 wrote "the law is an ass" commenting on how common sense is not common when it comes to laws. The intent of a law when created has nothing to do with how those in power will abuse the law. Some things never change.

seeprime said,

George Chapman in 1654 wrote "the law is an ass" commenting on how common sense is not common when it comes to laws. The intent of a law when created has nothing to do with how those in power will abuse the law. Some things never change.

So doesnt matter. Laws are put in place for a reason and if this wasnt enforced then anyone can do it and claim good intentions even if that's not true. He knew the risks before he did them. Most likely get a slap on the wrist anyway.

What about the website? Doesn't Australia have laws which are meant to protect user privacy? Leaking user information sounds like it would violate those laws...

techbeck said,
Regardless his intentions... He still broke the law.

You should have a reasonable expectation of security... that what he did shouldn't have yielded any results. SQL injection vulnerabilities shouldn't exist. They aren't hard to prevent.

He was probably pretty stunned that it actually worked. I would be.

Victoria State is in Australia. There is no Victoria State in Canada, there are no States in Canada, No President either (Although the current US President seems to think there is), Canada has Provinces & Territories. There is a city called Victoria in Canada. I think the world would come to an end if MOST American's were taught world geography and the metric system in schools, like the rest of the world.

If you had actually checked you'd see his profile says he is from the Netherlands so I'm not sure why you felt the need to throw in the insult about Americans. I guess everyone loves to that though.

Well, it's not the morally correct thing to do (by the gubbermint), but on the other hand - what else remains. Technology, through human incapability to sufficiently grasp it all, has resulted into such mess that there is no right choice. You do what you have to get through the damn day.

"The site only contained information on public transport timetables but the database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne."

This seems like a lot. Haha "only"

rippleman said,
you guys believe this based only a small part of 1 side of the story?
ofc. everything on the Internet is a one-sided story

Only proves the point for some people that never want to get involved to help others out because of them getting in trouble.

Like for example in the good ol USofA, if you see someone in a car accident and you help them out, but in the process you cause another injury to that person, you can be sued for that injury even though you saved the persons life and they would have died if you didn't help. Isn't the law awesome?

Makes me not want to help anyone and just say "sorry, the cops are 15 minutes out and on the way even though you are almost dead and I might be able to do something, but don't want to risk screwing life up to help you." But of course you might get sued for not helping if they do die so you are in a "catch 22".

Not sure about in australia but that's pretty much how it is in the UK, the law specifically states you must not access any information you have not been lawfully given access too, which is why legitimate security researchers are required to fill in lots of legal documentation and get the company/agency to agree to everything on them before they even look at security problems on websites/network systems, etc.

It's a false flag. The security flaw is on purpose for 3rd party commercial interest. The boy basically blew the whistle as is being treated like one. Best thing he could have done was to sell this information to those seeking interest in such info and let the site owners deal with it.

Address him as, "this kid"? More like Mr. Rogers, this young man saved your hides whether only potentially or not he earned respect

I think we all know the guy did not stumble onto this by accident right? We can argue semantics, but it seems his intent and methods are obvious. He most likely was not on the site to top up his bus card.

paulheu said,
So hackers are now called "Security researchers" ?
Not all "hackers" are malicious. I can't believe I even have to explain this...

paulheu said,
I think we all know the guy did not stumble onto this by accident right? We can argue semantics, but it seems his intent and methods are obvious. He most likely was not on the site to top up his bus card.

Yeah he broke in, topped up his bus card, stole all records, and sold them. Then reported the problem. Because thats a really clever thing to do right /s

Derp derp derp...

paulheu said,
So hackers are now called "Security researchers" ?

The media have manipulated the term hacker to mean malicious. Hacker is defined as being someone who is unskilled or experiments with any particular thing and doesn't limit itself to technology. An example is that you can be a hacker at brewing beer.

When it comes into the realm of computer security the kid might just be a grey hat hacker. That's a person who breaks security for the sole purpose of notifying the administrator of any flaws found. They may offer to fix the flaw for a fee if the are able.

http://en.wikipedia.org/wiki/H...mputer_security%29#Grey_hat

Edit: Fixed link...

Edited by shinji257, Jan 12 2014, 11:27pm :

paulheu said,
So hackers are now called "Security researchers" ?

There will always be smarter 'hackers' out there then the handful of people on the 'research/hack' team. If there were no 'hackers' would flaws ever be found? No. Because when ARE the flaws found? When a 'hacker' goes in and tries to break it/hack it. That's basically a tester, in this case a hacker. It's better that the hacking not be so consequential as long as the hacking done didn't end in real malicious acts (though we can't really know, but hope?) because thats basically someone you probably should hire (for your IT Security Team). Either way, there is really no better fix. Even companies with 100 security 'techs' still get broken into. Look at the many 'big' companies that get hacked all the time, they have plenty of money for their IT security dept., yet there are still smarter people 'out there'. That's just how it goes in the world. Anything that can get hacked, gets hacked 1 way or another (look at the kinect or the new hacking with the stores CC, or the hacking the Lulz/Anon were doing a while ago).

Unfortunately there is no resolve. Hackers are going no where and will try to hack either for fun, maliciously, or to 'help' the company. I wish it was only to help the company, but that is naive to wish probably.

Truely disgusting behaviour, but all too common in countries with governments that don't respect their citizens.

Grizzl said,
Truely disgusting behaviour, but all too common in countries with governments that don't respect their citizens.

This doesn't really have anything to do with the government, this is about people. Eg the individuals in this government agencies IT department. Someone in their screwed up, was either hoping to ignore the issue or couldn't fix it and because this then makes the representative of the department look bad they've deflected it as a "criminal matter"

If the government was involved the kid wouldn't have his computer anymore and wouldn't be handing out quotes saying first I've heard of it.

What this does highlight though as the cyber security guy pointed out is the need for government and private firms to have processes in place so that when things like this are reported it is a) handled in a professional manner and b) the issue is quickly investigated and resolved.

It has to do with government.

Here in Holland we have a rule (not really a law...yet) that when a whitehat hacker acts properly. As in informing the targets of the exploit/issues and not releasing the information publicly. He can not be prosecuted.

Grizzl said,
Truely disgusting behaviour, but all too common in countries with governments that don't respect their citizens.

I don't know what image you have in your head about Australia, but I can hardly say the Government doesn't respect me.

Grizzl said,
Truely disgusting behaviour, but all too common in countries with governments that don't respect their citizens.

Hey!

That sounds just like the USA's government!!

I agree also. Truly disgusting!!

Grizzl said,
Truely disgusting behaviour, but all too common in countries with governments that don't respect their citizens.

Come oin, don't type some crap like you've typed here, wait for replies and never come back and comment.

Australia is a western country, with a democratic Government. What are you talking about.

Nashy said,

Come oin, don't type some crap like you've typed here, wait for replies and never come back and comment.

Australia is a western country, with a democratic Government. What are you talking about.

I really didn't notice the country this article was talking about until reading these comments. Until then, I just assumed it was U.S. because it sounds like something that would happen there.