A few years ago I also found a serious bug in a debt collection agencies web software. I ordered a phone and neglected to pay import tax and was chased by the agency. I found their website and saw that they developed their management software in-house and made it available for purchase for other agencies.
They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:
I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.
At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.
> you open up Tor browser and drop the entire database
Apart from being a federal crime (CFAA), it would be rather obvious by the logs that a user was testing SQL injection on the demo system minutes before the production system was vandalised.
A better option would be to pay the debt, and then let them know you found a potential issue on their demo system. Let them connect the dots between demo system and production system. If they can't make the logical leap, then they deserve whatever someone else does.
Well obviously if you do that you wouldn't be testing the SQL injection for your main connection to begin with.
I'm not arguing against paying the debt - I would pay it in either case. However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).
> However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).
I understand the feeling here, but no, they don't deserve to get their assets destroyed because of a lack of care.`
Well the issue is that there are no penalties. Only free money for lawyers and nothing for the people who got their PII stolen.
Dropping the DB means there's no more PII to leak, makes a pretty good financial penalty for the company and doesn't make millions for useless lawyers. That sounds like an acceptable solution by my standards.
Better to pay your debt, wait till your PII has been removed, then issue a public disclosure of the bug.
Public disclosure because everybody should know about something like this that may impact them. Not because some random vigilante will see it and drop their DB for which they probably have no backups.
Such companies are usually extremely shady and unethical, I would not consider it evil at all to delete all of their recorded debts via tor or something.
Also, it is worth considering that debt collection agencies are very good at finding people, and very bad at upholding ethical standards. Going to prison is not the worst case scenario.
If you think you can't get caught because you use Tor, I know of a few people who can testify otherwise. See, e.g., Ross Ulbricht and Christopher Grief, to name a few.
I personally would have said to them "Would you like a fair trade? I've discovered a huge problem in your software that could allow anyone to remotely wipe their debt without you really knowing about it. I'll give that information in exchange for elimination of my debt. The money you'd lose from me is utterly dwarfed by the money you'd save by locking down this security issue, an issue which many bad actors would pay millions for. It makes financial sense and you'd be covering yourself security-wise. Win-win for all involved!"
They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:
http://demosoftware.com/reports/ajax.php?sql=SELECT * FROM debts
I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.
At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.