Researcher who found security flaw threatened by firm he was trying to help

Patrick WebsterSouth of the Equator, a yawning security hole is swirling responsibility backwards to the bug finder.

It surely amounts to the Coriolis effect.

Yes, children, it’s true: In Australia, flushing insecure bugs out of the toilet drain of investment fund companies results in all the responsibility flowing counterclockwise, completely opposite to that of rational Northern Hemisphere nations where white-hat researchers are lauded and well-enumerated for uncovering ridiculously simple coding errors. (Or not.)

To wit: After Australian security researcher Patrick Webster recently alerted his investment fund First State Super of a glaring, blaring security lapse – a lapse so duh-licious, it ranks at #4 on OWASP’s top 10 list of application security risks – he was thanked with a legal threat and notice that he just might be billed for the security fix.

As brought to light by Patrick Gray on, First State Super’s law firm on Oct. 14 sent Webster a letter demanding that he turn over his computer.

According to Gray’s account, First State Super threatened to track down the costs incurred “in dealing with this matter” if Webster does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.

Letter to Webster

Webster’s sin was to uncover the fact that his pension fund allowed logged-in members to access their online statements via what’s known as direct object reference, wherein other members’ statements could be accessed by changing a single digit in the displayed browser URL.

Webster says that he cooked up a script to demonstrate the flaw to the investment fund’s IT staff, downloading some 500 account statements and then promptly deleting the information in September.

Here’s the company’s rationale for not only closing his pension fund but also for potentially sending Webster the bill for the security fix:

Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.

Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms.


In addition, the Trustee reserves its rights to require you to allow it's IT personnel to examine your computer during business hours to verify that all data and records on your computer have been destroyed or deleted.

In the meantime, the Trustee has suspended your online access to the Member Section of the Fund's website.

No good deed goes unpunished. But one would hope that most good deeds go without prosecution against the good-deed-doer.

One would most fervently hope that most good deeds don’t result in companies with No.-4-On-The-OWASP-Lame-O-Meter scale sending lame-ass demands to punish those who would point out the insufficiency of their security practices. But one would be hoping in vain, evidently.

Josh CormanIt’s ironic that this news crosses my desk on the same day in which I had a conversation with Akamai’s Josh Corman about the subject of how, in these post-Anonymous days, we have arrived at a place wherein organizations are becoming more transparent about their victimization through security breaches.

“Looking across the swaths of security compromises both in the security and the non-security industries in the last 12-18 months… [and] watching incident response and public relation successes and failures,” Corman has noticed that the current state of predation by Anonymous, LulzSec et al. is forcing the industry to re-evaluate best practices for communicating breaches.

“I think there’s a shift from ‘keep quiet and hide it’ to more modern expectations from the installed base,” he said.

In other words, we’re seeing more transparency about what happened in a given security breach and how the situation was attended to. It’s an evolution to a new set of best practices in crisis management, Corman explained.

Are things better? More transparent? In the Northern Hemisphere? Not in Australia?

This isn’t even a question of lack of transparency, of course, not a question of a company going mum and hiding under a rock. No, this is a situation in which the company is hurling the rock at an innocent researcher’s head.

Coriolis effectThe Anonymous Coward remarked that the first thing you have to understand is that “Australia is hilariously backward when it comes to understanding communications, computers, and the internet.”

I don’t think Australia would agree with that.

But in this instance, something’s certainly flowing backwards.

And if Mr. Webster sets up a legal defense fund, let us all step forward and send a bit of coinage down under, in support of his efforts to point out a simple security error before people’s funds were compromised, and to attempt to rectify the cockeyed misdirection of police time and the backwards misflow of blame.

Update: First State Super has updated its website with a statement about the incident – notifying its broader customer base of the security issue – and explaining that it plans to take no further action against Webster.