http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
By Kim Zetter
Threat Level
Wired.com
01.08.14
A teenager in Australia who thought he was doing a good deed by reporting
a security vulnerability in a government website was reported to the
police.
Joshua Rogers, a 16-year-old in the state of Victoria, found a basic
security hole that allowed him to access a database containing sensitive
information for about 600,000 public transport users who made purchases
through the Metlink web site run by the Transport Department. It was the
primary site for information about train, tram and bus timetables. The
database contained the full names, addresses, home and mobile phone
numbers, email addresses, dates of birth, and a nine-digit extract of
credit card numbers used at the site, according to The Age newspaper in
Melbourne.
Rogers says he contacted the site after Christmas to report the
vulnerability but never got a response. After waiting two weeks, he
contacted the newspaper to report the problem. When The Age called the
Transportation Department for comment, it reported Rogers to the police.
“It’s truly disappointing that a government agency has developed a website
which has these sorts of flaws,” Phil Kernick, of cyber security
consultancy CQR, told the paper. “So if this kid found it, he was probably
not the first one. Someone else was probably able to find it too, which
means that this information may already be out there.”
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
