How do you deal with hacks?

You’ve been hacked and it appears the hack could effect your users computers. What would you do?

  1. Do you tell your users that your site has been compromised and point them to tools to fix any problems?
  2. Do you investigate the hack to see if it has compromised end-users and decide the risk is small, so you keep quite. After all, why undermine the integrity of your website, if everyone’s safe?
  3. Do you keep quite no matter what?

I ask this because a page on a very big website (that’s in the top 100 most accessed websites in the world) was flagged up by my browser as containing malicious code. Being curious and working on the fact that I’m a Mac user and the exploit would most likely target unpatched versions of IE, I switched off my security and ventured on to the site.

Looking at the source, the site contained a hidden iframe which linked to an external website. Following the link, this website redirected to a second site. This second page contained a meta refresh that redirected to a php file. I’m assuming this file was intended to deploy the malicious code. But by the time I checked the site, the php file had been replaced with a 301 redirect to Google’s homepage and the top-level domain reported that the account had been suspended. I suspect the offensive site had been shut down long before the hack was introduced into the website and I don’t believe there are any security issues for the end-users.

Since it was clear to me that this wasn’t a false reading, I posted feedback to help the provider identify the problem. The next day the problem still existed and users were reporting layout issues caused by the hack in the website’s forums. So I added some info about what had happened. Soon afterwards, my post and the hack were removed. But so far no warning about the security issue has appeared on the website and it appears that they’ve decided to keep quite.

I know in the early days of the system I’m responsible for, we went live without a Domino virus checker. All the University machines had virus checkers so it didn’t seem important. Within a month we had a member of staff post a file from home that contained a simple non-destructive macro virus. So although it wasn’t serious, we very quickly implemented virus checking and provided students with links to virus checkers. We felt the potential risk to our users was more important than protecting the integrity of our new system. But if I had millions of users, would I have taken the same decision?

So if your website potentially harmed your end-users, even though it’s very unlikely, what would you do? In the case of this nameless website, are they right to hide the problem for the sake of ensuring the millions of people who use the site daily have confidence in their service?

Leave a Reply