Ask HN: Screen scraper's server is fully open

2 points

11 years ago

This company (call them ACME) who happen to be fairly big in the industry, screen scrapes our website backend (our users give them access) and updates data into our DB quite regularly. They're the most active ip address in our logs.

Because I like to look at logs fairly regularly, their new IP address gave me concern so I did a quick lookup and port scan. They happen to have open FTP access with anonymous login enabled.

What's worse is that their whole C: drive (Windows server) is viewable through the exposed FTP (apart from user directories) and from a quick glance, their application code which does the screen scraping is visible to anyone.

This code also includes config files (connection strings to DB, etc.) and of course the code which screen scrapes our site and many others.

What do we do? Contacting them and then being accused of server breach etc is not my idea of the foreseeable future and everything that comes with it.

There is an unfortunate tendency, especially here in the litigation happy US, to pursue the person who does the right thing by warning of possible security issues. I don't want to join that list.

In terms of their own security issues, this might be an issue and keeping quiet will protect our interests at least.

What would you do?

4 comments