Well.. I never...

[gotica.livejournal.com]

[06:27] Gotica: rarr rarr rarr
[06:35] SO#2: rarrr
[06:35] Gotica: oh my farking fod
[06:35] Gotica: err
[06:35] Gotica: god
[06:35] SO#2: what?
[06:35] Gotica: I googled an error for one of our internal systems on the off chance that there would be something out there...
[06:36] Gotica: I farking found GOLD... GOLD I tell you
[06:36] SO#2: *giggles*
[06:36] Gotica: Another airline has all their IT documentation open to the outside world.
[06:36] SO#2: wow nice
[06:36] Gotica: Including their internal forms and details on their servers, proceedures etc.
[06:36] Gotica: and it helped solve my problem XD...

Obviously I'm going to do the right thing, drop their manager an email (or call, the phone numbers are published too) and find out if they're aware of their faux pas.

But before I do, I'm collecting anything that will help me in my job (is that bad?).

Comments

[brotherflounder]

Hoo boy.

At least you know they're in compliance with SOX by having this documented somewhere.

[hamsterhotep.livejournal.com]

The question is, can you yoink it all and post it to a public forum anonymously?

[kalium.livejournal.com]

Well. It's the same thing we all do. Hell, I've done it.

"Ooh, shiny! Material that shouldn't be seen by the public! I should tell them. After I make a copy for myself..."

[mouser.livejournal.com]

Wait!

There's an SECOND option? Really?

[kalium.livejournal.com]

Sure.

Some people skip the 'tell them' bit.

[ptomblin-lj.livejournal.com]

So, do they have any SQL injection attacks exposed as well?

[gotica.livejournal.com]

Don't know but since reading we can add admin passwords, pin codes and a few other things to the list.

[kalium.livejournal.com]

You should be able to get a few beers out of this, if nothing else.

And a DailyWTF posting.

[jecook]

O.O

I'd snag a copy on General Principles. I'm sure Google has already. *snicker*

[gotica.livejournal.com]

I believe they do already ;)

Got a copy of what we can use, the rest is pointless unless I want to destroy the company. Plus my boss has a couple of contacts within that company ironically.

[typhoid.livejournal.com]

My last job at a school district something stupid like that. Including all emails sent to listservs, including Special Education data (oy vey private data!). It took me two HOURS to get anyone to believe me, and they finally started working on it.

They never thanked me.

[klfjoat.livejournal.com]

Yeah, in that email, you might want to mention SOX and possibly even PCI if there is any disclosure of credit card-processing-related items.

Oh, and suggest they get a vulnerability assessment, application test, and an external penetration test or two. Just for good measure.

The pitiful thing is, they're not the only ones who expose data like this. I see it all the time in banks and credit unions.

[gotica.livejournal.com]

I know if they're stupid enough to do that they should get burnt, but its terrible to see the consequences for the organisation just because of someones oversight.

[klfjoat.livejournal.com]

In a proper environment, with security designed in, at a large company one person's fuckup shouldn't allow sensitive data to be exposed like that.

There are larger institutional issues if that's the case.

[klfjoat.livejournal.com]

Oh, and then there's the idea that you could read through the documentation, and point out how the breach you discovered violates such-and-such policy of theirs.

[wxgeek.livejournal.com]

No. No, it isn't.