Microsoft Opens the Gates to Hack Their Web Services

Use Netsparker


It seems like Microsoft are starting to get serious about security, in a very progressive move they have said they are ok with ethical hackers finding security flaws in their online services.

It’s been fairly ok so far to hack away at software installed on your own hardware, but hitting remotely hosted applications has been a big no-no with individuals facing legal action even when they were just trying to help.

In a first for a major company, Microsoft has publicly pledged not to sue or press charges against ethical hackers who responsibly find security flaws in its online services.

The promise, extended Saturday at the ToorCon security conference in Seattle, is a bold and significant move. While researchers are generally free to attack legally acquired software running on their own hardware, they can face severe penalties for probing websites that run on servers belonging to others. In some cases, organizations have pursued legal action against researchers who did nothing more than discover and responsibly report serious online vulnerabilities.

Personally I welcome such a move and hope more companies act in a foreword thinking and ethically just manner. There are many good guys finding flaws, and sadly then don’t report them for fear or litigation. In turn the bad guys find the same flaws and exploit them for gain.

Actions by more big companies to ‘ok’ ethical hacking would make things a little more secure for everybody.

As things stand, researchers frequently turn a blind eye to gaping security holes on websites for fear of suffering a fate similar to that of Eric McCarty. The prospective student at the University of Southern California found a flaw in the school’s online application system that gave him access to other applicants’ records. In 2006, he was charged with computer intrusion after producing proof of his finding.

“There’s definitely a lot of trepidation among legitimate researchers to find flaws in public-facing web applications because you never know how [companies] are going to react,” said Alex Stamos, a founding partner at iSEC Partners, a firm that provides penetration-testing services. “That hurts us because the only people finding these flaws are the bad guys.”

For once I’m praising Microsoft, I know it’s an odd and rare occurrence but they are doing the right thing!

I’m sure you guys have a lot to say about this one..

Source: The Register

Posted in: Hacking News, Legal Issues, Web Hacking

, , , , , ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


3 Responses to Microsoft Opens the Gates to Hack Their Web Services

  1. Zinho April 21, 2008 at 9:48 am #

    Strange, I got very nice and kind regards from MS security response center when I found *remote* holes. Of course I followed responsible handling of the issue, this may be the reason

    I guess that that no-no is meant to scare and discourage hackers since by far the most targeted company in the universe

  2. fever April 21, 2008 at 5:40 pm #

    You went through proper channels instead of posting as an exploit againt them. that is why they thanked you instead of arresting you. that is the way it should be with all servers of big companies. they should have a forum or somthing where you can submit your work to them and show them their problems.

  3. Changlinn June 1, 2008 at 2:04 pm #

    I wonder if they have fixed up all their expired and incorrectly assigned SSL certificates all over the place. I’ll have to remember where I saw some of them.