from the this-is-why-white-hats-go-black dept
But the company that runs the fund, Pillar, went quite crazy about this. While the company did fix the security hole, it also sent the police to interrogate the security researcher, Patrick Webster. Pillar also sent a letter to customers (pdf) in which it suggests that Webster created this massive security flaw, rather than their own dreadful programming:
It has come to our attention that a member of First State Super, who has online access to their account, devised a way to view an image of your statement.And then, to add insult to injury, Pillar sent Webster a letter saying he broke the law, they were closing his account, and may seek money from him to fix the vulnerability:
Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.Yup. Help Pillar out, uncover a basic programming/security mistake that puts the info of tons of people at risk, and get punished. Pillar apparently prefers to have people never report any problems they find with its system at all, keep its head in the sand, and instead allow malicious hackers to run wild through a totally insecure system. Brilliant work.
Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.
In addition, the Trustee reserves its rights to require you to allow it's (sic) IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.
In the meantime, the Trustee has suspended your online access to the Member Section of the Fund's website.