After Patrick Webster found a glaring security vulnerability in his bank's website, he did a quick test to see if the bug could be exploited, and then disclosed the flaw to the bank to help account holders (himself included) from becoming cybercrime victims.
Webster, an Australian IT worker, probably thought the bank, First State Super, would be appreciative of his effort and ethics. Maybe the company would reward him for his support, the way Facebook and Google pay independent researchers a bounty for finding bugs in their programs. He certainly didn't expect to be turned into the police and treated as a criminal.
In September, Webster found a security flaw in First State Super's website that left it open to attack simply by changing a single digit in the URL in the browser bar. The security firm Sophos wrote that Webster developed a proof-of-concept script to exploit the flaw; he downloaded 568 account statements "and then promptly" deleted the stolen information before contacting his bank and disclosing the vulnerability.
On Oct. 14, Webster received a letter from Minter Ellison, First State Super's law firm, which told Webster the vulnerability testing he conducted is considered a criminal act. The law firm told Webster that he had been reported to the New South Wales police, that his own account with the bank had been suspended, that the bank's IT staff had the right to examine his computer and that he would potentially have to pay for the bank to fix the security flaw he had warned them about.
Patrick Gray, on the security site Risky.biz, found this scenario slightly off-putting. "If Webster had planned to do something untoward with the information he obtained in his four minutes of testing, why would he inform the company of their security issue? Gray wrote. "Why would he now retain the member information he was trying to protect by reporting the bug in the first place?"
Gray compared the bank's aggressive response with the decidedly more appreciative stance taken by sites such as Facebook and Google.
"If he'd found the bug in a Facebook or Google Web application, Webster would have actually received compensation for his time, not [been] reported to the police and threatened."
First State Super took to its website to explain its stance on the matter. The bank wrote, "While he [Webster] immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter" to the police.
"Subject to his compliance and cooperation in ensuring that the unauthorized statements he downloaded have been destroyed, we have no intention of taking any other action against him," the bank said.