May 11, 2021

I accidentally found a vulnerability. What do I do?

Home Forums I accidentally found a vulnerability. What do I do?

This topic contains 1 reply, has 2 voices, and was last updated by  localpythondevalt 3 weeks, 4 days ago.

  • Author
  • #383783


    I don’t work in IT or security, but I’ve stumbled upon a vulnerability in my organization’s security.

    I’m working on a project that involves copying those little round RFID stickers onto credit-card sized RFID cards. Just out of curiosity, I tried using my $20 Amazon RFID reader/writer to copy my RFID access card, and it worked! It seems the access cards are read/write and unencrypted.

    While I personally have no malicious intent, with a dash of social engineering or device hacking, it would be pretty trivial for someone to copy someone else’s card, and get physical building access that they’re not supposed to, as well as access to certain IT systems containing confidential information.

    I feel like I should let someone know, but I’m worried that either I’m wasting their time over an exploit that they’re aware of, and have simply chosen to accept, or that I’ll get in trouble for copying my card in the first place. Do I create an anonymous email account and report it that way? Any experience or guidance would be appreciated.

  • #383784


    RFID cloning is pretty common but you definitely won’t be wasting anyone’s time but trying to get your peers at work aware regardless of them being unaware or aware.

You must be logged in to reply to this topic.