Joshua Rogers, a 16-year-old from Victoria, managed to find a security hole that allowed him to access a database with more than 600,000 records about users who made purchases through the Metlink web site run by the Transport Department.
The site only contained information on public transport timetables but the database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site, according to The Age newspaper in Melbourne.
Rogers contacted the site but after two weeks he had still not received a response so he reported the problem to The Age. When the newspaper contacted the department of transportation the site reported Rogers to the authorities.
"It’s truly disappointing that a government agency has developed a website which has these sorts of flaws," said Phil Kernick, of cyber security consultancy CQR, "So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there."
Security researchers often find themselves in a predicament: do they report a vulnerability and risk being arrested when they're trying to help or do they simply move on and wait until massive disasters strike. While many companies and organizations realize the need to stress test their security systems, some have yet to understand the how to properly handle such reports. This story proves that some are prone to overreacting.
Rogers has since confirmed to Wired that the vulnerability he found was a SQL-injection vulnerability. Police have not yet been in touch with Rogers and he confirms that he only learned he’d been reported to the police from the journalist who wrote the story for The Age.
Source: Wired | Image via Wired