It was 1995 again here at Camp Hogg. At dotastronomy NYC hack day, one of the participants (who I am leaving nameless unless he or she wants to self-identify in the comments) identified a SQL-injection vulnerability in the MAST (Hubble Space Telescope) astronomical data archive. I made the mistake of bug-reporting it late last night and then had to deal with the consequences of it today. It was my first experience of the grey-hat world (white hat: report bug without exploit; grey hat: exploit bug trivially and report it; black hat: exploit but don't report); grey-hat is effective but stressful and doesn't get you any love. The upshot is positive though: MAST will be more secure going forward.
It is _not_ possible to discover a vulnerability without exploiting it, even trivially. Unless you have access to the code to proof-testing it.
ReplyDeleteYes, it looks like 1995 when users got sued for their good intentions. Today, in the outside world companies are even encouraging users to break their software and reward their findings. I hope MAST/HLA will learn from these lessons.
MiguelV