It\'s not so much a technical vulnerability, but rather a sloppy security practi

Question

It's not so much a technical vulnerability, but rather a sloppy security practice by a web design consultancy. They use a CMS which they've augmented with an admin login. As it happens, the admin users are stored in a table and the password field is plaintext.

Having seen which username/password they used for my client's site, I am 99% sure that it's the same password on other sites they've designed. A dozen websites in their portfolio have an identical admin login form, but obviously I cannot legally test whether the site is vulnerable, because the only way to do that would be to actually attempt to log in.

Would it be a reasonable course of action to contact these sites individually, tell them about my suspicion and suggest how they can fix it?

More importantly, am I putting myself at risk by doing so? The smarter owners will figure out that if they are vulnerable, so are the other sites in the portfolio, and could do nasty things, at the same time as I tell those sites that I happen to know how to access their admin areas. Sounds like fingers could be pointed at me. Any suggestions?

Explanation / Answer

Unless they have some form of bug bounty type program, you are putting yourself at risk by disclosing to organizations that haven

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.