4

I recently visited the website for a large, reputable company which serves a malicious script (it's a knockoff of one of the major analytics apps, with an inconspicuous, intentional typo in the source URL). Additionally, the company serves a niche market, and likely doesn't have a large tech team, so their website hadn't been set up with HTTPS.

Fortunately, my antimalware software blocked the script, so I decided to look around at least the landing page to see if there's some kind of administrative (or even support) contact.

Not having found one, and not having found anything useful after doing a WHOIS query, I noticed that they accept Facebook messages via their official page.

Is it generally risky to notify a company of a vulnerability using such unofficial channels?

Jules
  • 1,260
  • 1
  • 10
  • 20
  • As a side note -- I'm welcoming better tag suggestions. I couldn't find any more relevant ones. – Jules Jun 12 '16 at 14:14
  • intentional typo? By whom?If its The company itself made intentional typo then,may be they themselves want to be unethical. – Sravan Jun 12 '16 at 14:28
  • @Sravan I doubt it; they might serve a niche market, but this is still a fairly large company, and this would be a big hit against their reputation (especially since it's quite conspicuous for anyone with a basic antimalware). – Jules Jun 12 '16 at 14:31
  • If you are going to get something like a bounty from them, you may consider reporting it via proper private channels. Otherwise, i feel better just ignore it. – Sravan Jun 12 '16 at 15:28
  • @anx I don't really mind the host taking credit for this; AFAIK the company doesn't have a bounty program in place. I just want to help get some malware off the web. – Jules Jun 12 '16 at 18:56
  • 1
    can't hurt to ask where they want it from fb, if not just dump it into the comment... – dandavis Jun 13 '16 at 09:16
  • If the request wasn't done using HTTPS, you cannot be sure the malicious script was from their server. Have you tried on a different network? – billc.cn Jun 13 '16 at 14:27
  • I've tried it on several networks; the issue is persistent. My suspicion was that the lack of HTTP is to blame. – Jules Jun 13 '16 at 18:03

1 Answers1

2

It turns out that in this instance, contacting them over unofficial means (Facebook private messaging) resulted in a response within about 48 hours followed by a quick patch to remove the injected script.

I can't provide a general, non-anecdotal answer to this question, though.

Jules
  • 1,260
  • 1
  • 10
  • 20