You should do what any self-respecting person does, create an anonymous email and mail the security team about it. Then of course disclose the details of the backdoor the next day when they don't respond instantly.So I'm at a new contract job to write a mobile app for this large corporation. They have a preexisting api that was written for an inhouse app. The developer that wrote the api is no longer with the company and has gone home to India. So I'm digging through the api to figure out what is going on and if it is even suitable for what I need. I find a section of the code that looks strange, almost deliberately obfuscated, or less carefully written than other parts of the code. I dig further into to it find that is is accessible without going through any log in process and allows total access to the database without any auditing.
What should I do? Brave members of Rerolled screenshots help me decide how I should handle this dilemma.
I tempted to go tell the idiot boss what an idiot he is for blindly trusting outsourcers.
But who knows, for this company, it could be placed there for the NSA.
What do you boys think?
Just ignore it, collect phat paychek?
I've been trying to determine a reason to bring the FBI in. Some sort of nightmarish auditing scenario would be my ideal endgame here. I can't think of any actual crime that has been committed. Other than the crime of extremely bad and insecure code, which to my experienced eyes was by flawed by design.You are pretty much obligated to report this to the company and maybe even the FBI considering this most likely goes across state and country lines. By not reporting it you could easily be nailed for accessory.
So if that's the case, why not say something? You might even get additional work out of it to fix the issue.I'm sorry I'm an NYC consultant. Shitty human and shit-eating grin kind of go hand in parcel with the job.
I've been trying to determine a reason to bring the FBI in. Some sort of nightmarish auditing scenario would be my ideal endgame here. I can't think of any actual crime that has been committed. Other than the crime of extremely bad and insecure code, which to my experienced eyes was by flawed by design.
Target first acknowledged the hack December 19, and its stock prices obviously suffered in the months to come. And the end of November, the retail chain was sitting at $64. By February 5, it had dropped all the way down to $55. It only just recently started to gain ground back into the $60+ territory.
Wasn't that much of a drop for these guys.46 - The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.
Home Depot saw a slight dip in its stock prices, which sat at $93 prior to the announcement of the breach and dropped to $89 by the following day.
Around the time the hack was revealed to the public, Google sat at $300, but it quickly dropped. By the end of February, it had dropped to $263, and by July it dipped all the way down to $218 - the stock's lowest price in the past five years.
It doesn't make a blip on there stock valuation, so the board of directors won't give a damn.
Not if you got your telling them and them saying they don't care in writing. In writing is the biggest thing when doing basic CYA.It became a known issue - not going to fix. So now as a contractor, am I liable in some way if this thing get's used for an unlawful purpose simply because I was aware of it.