"Good samaritan," huh? My question is this: if this individual was so interested in honestly informing this company of their security flaws, why is he pulling down credit card numbers instead of the other account information no doubt stored in the sql database, such as usernames, order numbers, mailing addresses, etc.? Doesn't seem like this is a very benign, white-hat, "oh, I'm interested in helping patch sites" thing to do. I understand that card numbers are more effective in drawing attention to the flaw by which the numbers were gained, and that it can be extremely frustrating trying to get large companies to act on such big, bad flaws, but the fact of the matter remains that this guy grabbed multiple card numbers. According to the law, this is theft, despite his possible good intentions. It is certainly this company's fault for leaving this box vulnerable, but our good samaritan, in his...let's call it enthusiam...has certainly left himself open for possible prosecution as well. I guess (hoho) my point is, there are other ways to prove granted unauthorized access without getting yourself in deep with the law by using cards. You start stealing things for a benign purpose and you actions kinda undo what you're trying to accomplish.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/346/10876#10876