Australian Teen Reported To Police After Exposing Security Hole In Website

| by Jonathan Wolfe

A 16-year-old was reported to police after doing what he thought was a good deed.

The teen, Joshua Rogers, is a self-described “white hat” computer security researcher. Rogers tries to hack websites with sole intent of exposing security weaknesses in the site. Typically these weaknesses are reported and fixed to prevent future hackers with ill intentions from entering the site.

On December 26th, Rogers was able to hack the database of the Victoria, Australia Transportation Department website. He was able to see the full names, addresses, phone numbers, dates of birth, and partial credit card numbers of passengers who use the site.

He immediately reported the security weakness to Public Transport Victoria (PTV), but his report went unanswered. Since the government was ignoring his report, he took it to The Age newspaper in Melbourne.

Once The Age contacted PTV about the report, government officials reported Rogers to the police. The Age does not say whether the police have taken any legal action against Rogers at this time.

Still, a number of tech researchers have come forward saying that it’s disappointing that the government is choosing to punish researchers who are trying to help them out.

''It's truly disappointing that a government agency has developed a website which has these sorts of flaws,'' said Phil Kernick of the cyber security company CQR. ''So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.''

Ty Miller, director of Threat Intelligence, a group that locates and reports security flaws in websites, says the information stored on PTV’s site is the exact type of information routinely sought out by hackers.

''Most of the stuff is personally identifiable information that is often used for things like identity theft,” Miller said. “...for example, ringing up your bank, and then answering their basic questions - like, 'what's your birthday, what's your address'. That then allows you to maybe reset a password for internet banking and then make fraudulent transactions.''

As Slate writer Kim Zetter notes, governments have a long history of punishing hackers whose only intent was to help an organization by exposing security flaws in their website. U.S. hacker Andrew Auernheimer is currently serving a three and half year prison sentence after he and friend discovered and publicized a security hole in AT&T’s website.

Sources: Slate, Sydney Morning Herald

Photo credit: Simon Schluter