Joshua Rogers, 16, a self-described white-hat hacker, found a security hole in an Australian public transit website and reported it to the site on Boxing Day.
The site, run by Public Transport Victoria (PTV), didn’t respond, so Rogers’ next move was to report it to the media, who in turn contacted PTV, who in response reported Rogers to the police.
Now, the teenager could be charged under Australia’s cybercrime act, reports The Age, an independent Melbourne news outlet.
According to The Age, Rogers hacked the site using an unspecified hacking technique to access a database that held personal data including full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors’ card ID numbers, and nine-digit credit card extracts of customers of the Metlink public transport online store.
PTV was formed in 2012, taking over from the Director of Public Transport and the Department of Transport and taking responsibility from the Metlink online storefront for the marketing of public transport in Melbourne and responsibility for the myki ticketing system.
The site in question is the primary online source for information about train, tram and bus timetables, as well as for current and planned public transport projects.
The Age subsequently reported that about 600,000 entries were found in the hacked database.
On Tuesday, PTV responded to a media inquiry by calling Victoria Police, who began to investigate, enlisting help from the e-crime squad.
PTV reportedly said that the Metlink database had been ‘‘illegally accessed’’ and that it was ‘‘the only known attack on its website’’.
The media outlet that had initially contacted the PTV, Fairfax Media, gave PTV time to secure its site before publishing news about the security hole.
Security experts told The Age that the hole which allowed Rogers to poke his finger into the database is a common, easily patched one.
Should PTV have thanked Rogers for his help in finding the hole, instead of reporting him to the police?
Is it a “breach” when a white-hat hacker finds and reports a hole, or is it a public service?
It’s both, really.
True, a public transportation service such as PTV deserves to be taken to task over leaving an easily fixable hole wide open.
That doesn’t take the onus off of Rogers when it comes to responsible pen-testing, however.
He’s obviously astute enough to know how to hack a site.
He should also be savvy enough about the subject of penetration testing to know that it’s illegal to poke your nose into other users’ data without asking your target first.
When PayPal started its bounty program in June 2012, it laid it out like this: we won’t set our lawyers on you, white-hat hackers, or ask the police to investigate you, if you refrain from, say, attacking us with a distributed denial-of-service (DDoS) attack or poking your nose into other users’ data without asking our OK first.
That certainly seems like a reasonable request.
After all, as penetration testers will tell you, their work is most certainly not a passive, risk-free endeavor.
Pen testers can really mess up a site: crashing servers, exposing sensitive data, corrupting crucial production data or causing other damage by mimicking the actions of malicious attackers.
Rogers is only 16. Hopefully, the authorities won’t come down too hard on him.
Hopefully, they – or somebody – will teach him the lessons of responsible pen-testing and help him along the path to becoming a valuable public asset: i.e., a white-hat hacker who treads carefully, does no harm, and doesn’t cause his targets to freak out while he’s hunting for bugs and trying to help them.
Image of padlocks courtesy of Shutterstock.
23 comments on “Teenage white-hat hacks site, reports security hole, gets reported to police”
Yes but what’s the betting, they don’t help him, and they do prosecute him, and then they have another Hacker menace on their hands, one with a chip on his shoulder.
It’s not clear from the story but did he tell PTV that he would (as part of his commitment to responsible disclosure) inform the media after a period of time?
Also his time frame (a few days a best) is a little short.
Cracking down on these white-hats and ‘putting the lawyers on them’ is only bad for the community. Now instead of being a nice person and letting the company know about their vulnerability, White-hats are STILL going to pen-test and not tell anyone in fear of being prosecuted. Or they’ll anonymously report it on a website where someone who is a little more unethical will hack in and do bad things with the data. These kids who find vulnerabilities should be thanked. What if a ‘black-hat’ found the hole, then you’ll be wishing a nice 16 year old found the loop hole first.
“Hello PTV. I believe there may be a security flaw with your website but without correct testing I cannot be sure. Is this something you would like to discuss, with a view to me assisting you to locate and resolve said potential issue?”
“Hey, um, I just broke in to your website – you probably didn’t see my email over the holidays so I’ve gone to the press who will whip up a storm about your “insecure” IT practices for holding customer data.”
Brought it on himself…
Tragically you are now at risk if you cooperate with authorities.
A readily-available manual for whistle-blowers advises that taking the approach of reporting through official channels “never works”.
If you’re determined to do something make sure it’s not traceable to you. Sad but that’s where we’ve got to.
What if he’d gone into a shopping mall, used a screwdriver to enter a cake shop, removed all the cakes and then reported to the shop owner “You appear to have a weakness in your front door” Then reported it to the mall owner? On the other hand, if he’d gone to the owner of the shop and said “Would you like me to test your security?” and the owner had agreed; there wouldn’t be a crime would there? What if you own a business and a security company does a penetration test on your infrastructure without asking you – and then contacts you using their innovative approach as a selling point? – Personally I would have them in jail before you could say ‘white hat’.
Your response shows just how ignorant and intolerant society has become by retaliating against and punishing young people instead of teaching them.
When a child does something wrong, the effort should be to teach them the right way, not beat them bloody and expect them to be grateful.
If anyone with half a brain were in charge, they would have taken this opportunity to teach the young man about ethics, rather than punishing him for wanting to do something noble, but going about it the wrong way.
By doing so, both he and PTV would have come out ahead. Now it looks like all parties lose.
Your analogy is a little off in this instance, and your argument all the more incorrect because of it. At no point in any of these reports did someone say that the kid had removed data. Essentially what he did was open the unlocked back door, see that they left all the cakes out, free for the taking, along with their unlocked safe and open cash drawers and called and left them a message that they needed to probably lock their doors. He did not spray paint their storefront, steal the cakes, or any number of a host of other things he *could* have done.
Stupid is as stupid does, and that is what the Government Agencies of the this planet are. STUPID! Thanks for helping, please go tot jail now.
Sounds like PTV, rather than admit a mistake and fix the problem of open, accessible customer data, instead redirects the focus onto the young man and his “evil deed”.
PTV should count themselves lucky that he had sufficient wherewithal to report the problem rather than pass along the information to unscrupulous individuals who would have taken advantage of the hole and left PTV officials with more than just egg of their faces.
So the Press are totally scrupulous in Australia now, are they?
Here’s the problem with the “ask permission first” point of view: few companies will let some random hacker test their site for them. PayPal has the right idea: set some ground rules (Hey, don’t take the whole site down) and let people have at it. And they are infinitely more secure because of that.
The thing is, no company thinks they’re insecure; look at what happened with SnapChat – they had to get their asses handed to them with a “theoretical hack” before they took it seriously. Internal security teams can only do so much, they’re bound to miss something. PTV said this was ‘‘the only known attack on its website’’ and with that I call shenanigans. This was the only one they found out about. I’m quite sure their site was compromised before now, they just didn’t discover it because the blackhat(s) who did it weren’t nice enough to send a memo.
Companies I’ve worked for look at security as something they react to, they don’t care a whit about being proactive. “Hey, we’ve been okay for this long, nobody’s hacked us yet. We’re fine.” Then I show them where their weak links are and they shrug their shoulders and say they don’t have the funds to fix it. However, you can bet if they got hacked and it leaked to the media they’d be just like PTV and say it was news to them. If they can keep it under wraps they will just to save face. Now PTV’s been called out and embarrassed publicly, of COURSE they’re going to cry foul.
Let’s be honest, this is not White Hat – its more gray hat than anything. He wants to be a White Hat – but in so doing, needs to learn to not actually download anything. Finding a hole, yes, fine, using that hole to get data – crossed the line from White to Gray. It pains me to see someone go through this, but it may be a needed lesson to teach other young people that you don’t cross that line if you call yoruself a white hat.
I hope they go easy on him, and I hope the majority of people also see that “White Hat Hackers” need to live by a very high set of standards – do NOT download without permission. Find the hole, then stop and report.
That’s exactly what happened – he found the hole and thats all. It doesn’t say he downloaded anything.
Unfortunately a ‘white hat’ cannot just attempt to hack someone else’s site/network/server without breaking the law – it’s illegal regardless of the intention.
How many of us would be happy if random nameless ‘white hats’ started poking through servers holding our medical records, our financial details, and maybe accidentally damaged a few companies’ systems along the way?
Of course, being only 16, it’s unlikely anyone would have taught him this and I hope the prosecution takes that into account.
It was irresponsible of PTA to NOT respond to the youth when he tried to tell them about their hole. They should have thanked the youth, fixed their hole and went back to work. Now they look like idiots… Hmmm, wonder why that is?
The issue I see here is this, if it was that easy to break into their network, does PTV have any proof that their network has not been breached before. I bet they don’t as they did not know this issue existed. There is hardly any reporting requirements in Australia for breaches. So the horse may have already bolted without anyone knowing it. How does PTV resolve this issue? Just follow the principle of unknown unknowns.
Joshua Rogers did PTV a favour by notifying the site of a security hole in their so called secure site. yet PTV intend on prosecuting this lad for showing PTV the error. What a bunch of idiots these people are, the very least they could do is to hire this lad who can help in keeping the site safe as it is obvious the skills of their security is not good enough.
My suggestion to you PTV is to hire this lad as he knows more than your security personnel. what a shamm your company must be.
I understand he may have broken the law but I agree with what the majority of the comments say. He is a kid and this should be seen as a teaching experience. The fact that they didn’t respond to him and didn’t report him until after he got the news involved shows it was only a way to retaliate and take pressure off of themselves. When did it become okay for a corporation to screw up a child’s life because they don’t want to answer for their mistakes. Could he have handled it differently, of course. But the same can be said of PTV. He is sixteen, what’s their excuse?
Firstly, a minor correction: The Age is not an “independent” newspaper. It is owned by one of Australia’s two major newspaper companies (the other being run by some guy by the name of Murdoch).
Now to the serious stuff. The real problem here is that it isn’t clear to computer users what will happen if they do happen to identify an insecure system. Is the kid someone who found a vulnerability, reported it to the company and then – when he got no response – used it to publish sensitive information? Is he someone who was fiddling around with some new-found skills, and did something he ought not? Was he planning to write a school report for his IT class?
Certainly the “short time” between identifying a vulnerability and notifying the press is totally unsurprising for a sixteen year old. At that age, days of waiting can feel like weeks or months (actually, they can even into your forties – but by then most of us have learned that we need to wait).
The proper solution should have been for the company to contact the guy, say “can you give us more information, and by the way you’re a very naughty boy here is what the law says”, and consider offering him a job. Instead they have chosen the “we want some bad PR by doing nothing, and then we’ll follow it up with worse PR by siccing the cops onto him”.
Very smart. Let’s discourage people from giving the information to the people we would want them to give the information to (yes including the media, once the site owners ignore the report as expected).
Then that information can fall into the hands of or be discovered independently by black-hatters instead. Bravo.
As a bonus, it might drive some people away from being white-hatters to begin with. Brilliant.
Sorry to most the posters but you are roasting PTV for reporting a breach?
There is a requirement for Government and Semi-Government groups to report all Cyber related incidents to the ASD and in most cases the State authorities.
Also, if PTV does not have the skillsets at hand to investigate the hack then they do need to call in someone (in this case VP and the eCrime group) – Do you expect them to just leave it at “oh we were hacked” without checking to see if other access attempts were made, or if other areas where accessed?
Also, in my own view, I think a few of commenter’s have vary loose views on what is “White-Hat”. The lad accessed another person/site using an exploit in a manner that is not standard access to reach data/information that was not readily available to the general user WITHOUT permission nor accidental. His actions post that point place him more into “Grey Hat” than “Black Hat” but certainly not “White Hat”
Somewhat tongue in cheek to the reference of the cake shop doors – sure, you might have found the back door open and went inside and checked, but if you happen to get nabbed (or rocked up to the owner) later on with a set of lockpicks, torch and jimmy then chances are you are going to get done as ‘going equipped’, good intentions or not.
Someone should ask PTV if they would have responded to an adult security professional in the same manner.(I think not) We should be grateful for any and all help with respect to securing user privacy and information. PTV’s IT unit is clearly embarrassed that a “KID” found this vulnerability in their systems…But this response is totally wrong… Maybe the should consider hiring this “KID” to deal with security as it is clear that PTV’s IT unit is not up to the job…