In need of some advice!

[Ramedge]

Hey,

Last week I went for a job interview with this company who were looking for a Web Admin for their website. They have around 100 stores in the UK (I think) so are quite big.

I find out tomorrow if I have got the job or not but all seemed very positive at the interview. (So fingers crossed)

The woman who currently does the job has gone for an internal promotion and got it. She had no experience in running a website prior, so learnt on the Job.

Now, Last night I was doing a bit of research into the website, just seeing what I would change/Improve looking at spaces in advertising they're missing. They currently spend £3,000 a month on the web site and I think a lot of it is being wasted, so i wanted to see what free solutions to bring in more traffic there were and better ways to spend that money in things like SEO. After a bit I thought I'd just check how secure the website was. Obviously thinking that it would be pretty well secured.

Well after 5mins I was in. Had customer records, orders, transaction details up. I was shocked!
First thing I wanted to do was warn them! But then I thought maybe its not such a good idea. I might be jeopardizing my chances of getting the position. They may think I am some kind of hacker and hacking is illegal after all. Then again I thought maybe it might strengthen my case for the job.

I am not quite sure what to do. Obviously they deserve to know about this major security hole in their site but do I wait and find out if I have the job? and what if I don't get the job do I just not tell them?

Some advice would be great!

[Splash]

Tell them, but be sure to do it in a frank and open manner (ie be sure to give them details of how you got in, and be prepared to demonstrate weaknesses *particularly* if their auditing didn't flag this up). Do NOT try to use it as grounds for negotiating salary etc, as that can easily come across as threatening. If they then use that as a reason to refuse you the job would you really want to be working there?

[santa claus]

I'd go very carefully if I were you. What you have done is illegal and it may have more ramifications than just this job. If you get the job, sort out the security pronto. If you don't, I would tell them anonymously that they have a problem; don't be too frank about all the access you have had or it could backfire on you.

And keep your sticky little fingers away from hacking in future or you may get a visit from 'people' and someone in your line of work ought not to be breaking in to things no matter how well-intentioned your motives.

[Funkstar]

I wouldn't say anything about it. Only if you get the job, then say something.

But otherwise you could end up with more trouble than just not getting a job with them.

http://it.slashdot.org/article.pl?sid=08/10/28/0436243

This is not the first time this has happened.

[Ramedge]

And keep your sticky little fingers away from hacking in future or you may get a visit from 'people' and someone in your line of work ought not to be breaking in to things no matter how well-intentioned your motives.

Yeah, I know thinking about it now I should never even of thought/attempted it.
it was a bit stupid. If i only I wasn't so bored last night!

I wouldn't say anything about it. Only if you get the job, then say something.

But otherwise you could end up with more trouble than just not getting a job with them.

http://it.slashdot.org/article.pl?sid=08/10/28/0436243

This is not the first time this has happened.

Yeah I read about this, It doesn't seem fair. Obviously that Kid did play the good citizen and informed people concerned.

I guess I'll just pretend it never happened unless I get the job.

[finlay666]

Tell them, but be sure to do it in a frank and open manner (ie be sure to give them details of how you got in, and be prepared to demonstrate weaknesses *particularly* if their auditing didn't flag this up). Do NOT try to use it as grounds for negotiating salary etc, as that can easily come across as threatening. If they then use that as a reason to refuse you the job would you really want to be working there?

I would also point out it may come across as blackmail.

Also I would if possible also show how to secure this problem if you know how, would show better knowledge than the previous employee

As for seeing the secuity of something...it depends what you did, if you just waltzed in they can't do much really, but if you were editing php requests or anything like that I would say it's dodgy

[tiggerai]

Can you not just report it to them anonymously?

[adder]

Keep it quit for now.

[IBM]

Hell, I'd be right in there pointing out the flaws, listing what you did as part of your preperations for the position.

Just start it off with 'as part of my day to day responsibilities I regularly had to check the security of websites. I implemented some of the procedures against your site for research purposes and revealed the following'.

If it's a manager worth their salt they'll love you for it. And you weren't hacking, you were 'testing existing security systems'.

[TheAnimus]

you've got to make it obvious that you weren't conducting a secuity audit, or any type of penitration testing.

This was just regular every day style review as to what they currently have in place, so you better understand the roll you're applying for.

[Mblaster]

Personally, I'd keep it quiet for now, and if you get the job you can say that you found the weakness during penetration testing, should make a good impression if you're having a significant impact early on. If you don't get the job then you can decide if you want to notify them anonymously or not.

[Ramedge]

Thanks guys,
It was purely a walk straight in jobby. No SQL Injection attacks, No flooding no editing php requests.
I would never dream of going that far unless it was a site of my own that I was testing.

IBM your advice is particularly interesting as I know your a developer. However the majority of people seem to think it is best to keep this quiet.

I did have a look around on the internet and from I have read companies can be liable for prosecution under the data protection act for not securely protecting their customers data. So potentially I could be saving them from some kind of prosecution in the future. That is if its true.

Its too late to do anything now, Will know if I get the job tomorrow afternoon. Will just have to see.

[santa claus]

Hell, I'd be right in there pointing out the flaws, listing what you did as part of your preperations for the position.

Just start it off with 'as part of my day to day responsibilities I regularly had to check the security of websites. I implemented some of the procedures against your site for research purposes and revealed the following'.

If it's a manager worth their salt they'll love you for it. And you weren't hacking, you were 'testing existing security systems'.

You think so? Won't the managers be thinking about what else Ramedge might see as his "day to day responsibilities?". He might like to crack their payments system once he's on the inside for example. A manager might also question Ramedge's loyalty, say, if he was given a better offer by a rival competitor as his approach to date might be seen as maverick. People with IT skills are two a penny these days; managers don't need to take risks to get good employees. I reckon one whiff of malpractice and you can kiss goodbye to this job and perhaps others.

Don't queer your pitch Ramedge; you may become unemployable in your field of skill rather quickly.

[IBM]

Santa Claus ... your elfs must hate working for you. Paranoid old sod .

He's a web admin....manager who don't have a clue how to test an individual's technical ability cannot help but be impressed by his technical insight over existing issues on their website. Maybe I'm used to operating at a level where you don't really have a choice, you have to trust the people you're employing, but I'd rather have someone on my staff that knows what the problems are and has a good idea how to fix them than someone with half a clue and trying to fight a rear guard action.

I guess it all comes down to how you present what you've done. If you can't do it without giving the impression that you're doing it maliciously, then you should keep quiet. The fact that Ramedge is asking for opinions makes me think that he's approach the matter delicately.

Anyway, too late now. All the best Ramedge, hope you get it.

[santa claus]

Santa Claus ... your elfs must hate working for you. Paranoid old sod .

He's a web admin....manager who don't have a clue how to test an individual's technical ability cannot help but be impressed by his technical insight over existing issues on their website. Maybe I'm used to operating at a level where you don't really have a choice, you have to trust the people you're employing, but I'd rather have someone on my staff that knows what the problems are and has a good idea how to fix them than someone with half a clue and trying to fight a rear guard action.

I guess it all comes down to how you present what you've done. If you can't do it without giving the impression that you're doing it maliciously, then you should keep quiet. The fact that Ramedge is asking for opinions makes me think that he's approach the matter delicately.

Anyway, too late now. All the best Ramedge, hope you get it.

I'm not paranoid honest . I was just thinking out loud to give Ramedge a few angles to consider. I see what you're saying. Yep, good luck Ramedge.

[Ramedge]

Yep, A few angles was what I was after. Thank you all very much for the advice. Its put my mind at ease, I was close to letting them know earlier today but I glad I posted the situation here instead.
oh well, just wait for the dreaded phone call now.