An Aussie teen hacker is regretting helping a government website fix a security hole after the company in charge of the site reported him to the fuzz.
Joshua Rogers, a 16-year-old in the state of Victoria, found a basic security hole that allowed him to access a database containing sensitive information for about 600,000 public transport users who bought stuff through the Metlink web site run by the Transport Department.
The site was important because it is the primary site for information about train, tram and bus timetables. The database contained the full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers used at the site.
According to The Age newspaper Rogers contacted the site after Christmas to report the vulnerability but never got a response. He decided to call The Age and when a hack rang the Transportation Department for comment, it reported Rogers to the police.
The paper did not say how Rogers accessed the database, but says it was a doddle. It was probably a SQL injection vulnerability, as this is the tool of choice to breach web sites and gain access to backend databases.
The Aussie police have a history of slapping the cuffs on people who reveal security vulnerabilities. In 2011, Patrick Webster suffered a similar consequence after reporting a website vulnerability to First State Super, an Australian investment firm that managed his pension fund.
Webster was arrested after he wrote a script to download about 500 account statements to prove to First State that its account holders were at risk. First State responded by reporting him to police and demanding access to his computer to make sure he’d deleted all of the statements he had downloaded.
Rogers said that the police have not contacted him and that he only learned he had been reported to the police from the journalist who wrote the story for The Age.
Still he is probably regretting doing the decent thing and reporting the flaw.