LG/Netflix Rebate Site Exposes User Data With AT&T-Esque Hole [Updated]

from the self-hacking? dept

[Update: hole has been closed by ACB’s IT team]

The Computer Fraud and Abuse Act is so severely flawed that people are extremely hesitant to report security holes in websites, especially after witnessing what happened to Weev (Andrew Auernheimer), who went to jail for exposing a flaw in AT&T’s site that exposed user info when values in the URL were incremented.

The same goes here with this submission from an anonymous Techdirt reader who added this note, along with a link to a post in the Computer Security subreddit.

“I remember a person was recently arrested for finding this same flaw in a website and told (at&t/apple??) about it. He was arrested and jailed if I remember right. This is the type of chilling effects that come when people view techies as hackers and are arrested for pointing out flaws.

The flaw is in:


By changing the number at the end you can harvest personal info.

I won’t report the flaw, I could go to jail.”

Is that overdramatic? Doubtful. People have reported security flaws to companies only to have these entities press charges, file lawsuits or otherwise tell them to shut up. Weev’s only out because the government’s case was brought in the wrong venue. The CFAA, which has been used to punish many helpful people, is still intact and as awful as ever.

As the (also anonymous) redditor points out, he or she has tried to contact the company but has found no avenue to address this security hole which exposes names, addresses and email addresses of customers sending in claims for a free year of Netflix streaming that came bundled with their purchase of an LG Smart TV. Incrementing the digits at the end of the URL brings up other claims, some with images of receipts attached. In addition, anyone can upload support documents to these claims.

Here’s a screenshot of the hole in question:

As the original poster points out, with a little coding, someone could put together a database of addresses that most likely house a brand new LG Smart TV. And this may not just be limited to LG. ACB Incentives is the company behind this promotion, and it handles the same sort of online rebate forms for a variety of companies. These rebate submission sites all branch off acbincentives.com, which could mean it’s just a matter of figuring out how each one handles submitted claims, URL-wise.

Now, I’ve contacted the company to let them know. Amanda Phelps at the Memphis branch says she’s bringing it to the attention of programming. I also let her know that it may affect other rebate pages but that I can’t confirm that. We’ll see how quickly this is closed*, but all in all, the people at ACB seemed to be concerned and helpful, rather than suspcious.

*Very quickly, it appears. See note at top of post.

But the underlying point remains. Many people who discover these flaws aren’t criminals and aren’t looking to expose the data of thousands of unsuspecting users. They’re simply concerned that this is happening and often incredulous that major companies would be this careless with customers’ data. That the kneejerk reaction has often been to shoot the messenger definitely gives those discovering these holes second thoughts as to reporting them, a hesitation that could allow someone with more nefarious aims to exploit the exposed data. The law needs to change, and so does the attitude that anyone discovering a flaw must be some sort of evil hacker — or that the entity must do whatever it takes, even if it means throwing the CFAA at someone, just to prevent a little embarrassment.

Filed Under: , , , , , ,
Companies: acb incentives, lg

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “LG/Netflix Rebate Site Exposes User Data With AT&T-Esque Hole [Updated]”

Subscribe: RSS Leave a comment
Ninja (profile) says:

If electronic flaws were the only thing not getting reported due to fear of getting charged and possibly arrested. It’s not particular to the US. I’ve commented before but if you want to avoid legal issues most people will avoid reporting crimes they witness, help victims of car accidents or even crimes, report electronic flaws, expose corporate corruption, expose public corruption…..

The smart ones are using it to get rich in criminality or corruption. For those that refuse to get dirty you wither keep quiet or report fully anonymously. Or risk having your life destroyed.

Anonymous Anonymous Coward says:

Strange Journey

I think this was done right. Rather than contact directly, as anonymously as possible you post the exploit and allow a third party to contact the appropriate people. Difficult, I know, but so long as that anonymity holds up, there is no one to charge via the CFAA. Why such a strange journey?

Now if there could be a rule, a messenger test if you will, such as ‘if messenger = true; don’t shoot’ then we could straighten out a whole bunch of things, like parts of the CFAA, whistleblowing, journalism, etc.

Anonymous Coward says:

This is why I don't report ANYTHING any more

The first problem is communicating. Most sites have their fingers in their ears trying very hard not to listen to anybody. Go ahead, try “security@” a domain of your choice — your bank for example. Good luck.

The second problem is reaching someone who understands what you’re saying and/or gives a damn.

The third problem is that their response is likely to be denial, denial, denial.

The fourth problem is that their next response is likely to be “call the FBI”.

I’ve observed all kinds of problems — some pretty small and inconsequential, some maybe not — but my reaction is never to report them. I just stop doing business with whoever-it-is and quietly move on. I never report them, never exploit them, never do anything but walk away.

Until the CFAA is repealed — not fixed, it’s unfixable — I’m sure I’m not the only one with exactly this attitude. Which means that we’re all much less secure than we could be. Oh well.

Roger Strong (profile) says:

Chilling effect

In December I did a Google search on my apartment building address. One of the first links returned was a database entry in text format, from RentCanada.com. It contained a tenant’s name, Social Insurance Number, birth date, driver’s license, email address and everything else needed for identity theft.

The URL ended in a record ID number, and I have no doubt that simply changing the number would pull up other tenant’s information. I didn’t test that, even though a proper bug or security issue report should include that test. I’ve read accounts of people doing exactly that, only to be arrested when they properly reported the bug.

Having pulled up only the initial record and no more, I felt it safe enough to report the issue. And to later report it to the press if it wasn’t fixed. But I can’t say that I wasn’t nervous. I emailed the company and cc’d the tenant.

Fortunately the company emailed me back within minutes. The information was taken down, though it would still appear in Google’s cache for a while. And so I didn’t contact the press.

Apparently the tenant disagreed, and it made the news anyway.

Details available on request if needed.

That One Guy (profile) says:

Re: Chilling effect

Apparently the tenant disagreed, and it made the news anyway.

So the tenant was worried about their information going public, so they contacted the press about it, ensuring a whole ton of eyes on them and any of their information that might be available.

Brilliant. /s

Morons like that are part of the problem, as if a company knows that they’ll be blamed whether they fix a problem or not, it’s easier to just hush it up and attack those that try and point out the security holes.

Roger Strong (profile) says:

Re: Re: Chilling effect

So the tenant was worried about their information going public, so they contacted the press about it, ensuring a whole ton of eyes on them and any of their information that might be available.

That’s another reason why I was hesitant to go to the press.

But on the other hand, who knows how long the information was on-line? I stumbled across it with a search on my address. No doubt the identity theft crowd knows how to search specifically for any SIN#’s or driver’s license numbers inadvertently left online.

One has to assume that the cat was already out of the bag.

(Well. Those whose data was exposed have to assume it. But apparently, other than the one I cc’d, they were never informed.)

Roger Strong (profile) says:

Re: Re: Chilling effect

Well, yes and no.

You can use the robots.txt file on your web site to tell search engine web crawlers which pages and directories should not be publicly accessible. Nothing says that a web crawler has to honor it.

In doing so, you’re telling malicious web crawlers where to find the interesting stuff. That includes directories that they might have no other way of knowing about.

I’d be frankly astounded if there isn’t a search engine or ten out there that doesn’t specialize in or filter for “Disallow” results.

John Fenderson (profile) says:

Re: Re: Re: Chilling effect

All true, but I was talking about Google’s crawlers, which absolutely do honor robots.txt.

However, there are other measures to stop crawlers outside of robots.txt that are almost completely effective and don’t rely on the crawler being well-behaved. If a site deals with sensitive information, it should be taking those measures. If it’s not, that’s a serious security flaw.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...