This debt collector is used by major telecoms in the US. I tried emailing them and got no reply.
I didn't exploit the bug severely, but had to pull a few records to verify that the bug is real.
The reason I'm posting about this is I found it very enjoyable finding this bug and want to do more of this kind of research, for a few reasons (fun, learning, clout, $).
I have some questions for more experienced people in security research:
- Is this greyhat hacking? Or whitehat?
- Did I do something illegal or unethical? Is doing this putting me at risk even if I have good intentions and responsibly disclose?
- If they repeatedly ignore me, what do I do? Contact the CFPB? Publish it on a blog?
Whitehats are basically people who do what is legal whereas grayhats do what they think is right. For example: Say you are sitting on the toilet and your neighbor comes into your house and takes $10 out of your wallet and leaves. Also, let's say you see him but have no proof. Legally, you cannot break into his house to take the money back. You need to report it to the police etc. Of course, if you have no proof, then there isn't much point in reporting it. I think a lot of gayhats would just walk into their neighbor's house the next time he leaves and take the money back thus avoiding all the red tape.
Regarding what you did... It's not exactly certain because it seems like you kind of did it by accident, at least initially. Generally speaking, you need permission to hack someone. Someone can give you explicit permission or they can give people in general permission. Regardless, if you don't have permission, I believe you are supposed to stop immediately, inform the business and if they don't give you explicit permission, continuing to hack them would be illegal. If you continue, then that would be grayhat hacking. Illegal, not necessarily unethical.
https://security.stackexchange.com/questions/13760/found-sec...
TL;DR; What you have done can be considered illegal in many countries, US included.
I'd consider what you did grayhat hacking (you were not requested to do a pentest, you want to do the right thing, you possibly didn't inflict any damages).
Yes, using your real name to report it to the company could put you at risk.
If you want to do this sort of work, look for bug bounty programs and abide by their rules (each program has different rules, what you're allowed to probe, etc).
If they repeatedly ignore you, it means you already made the mistake of contacting them in the first place. Count yourself lucky and move on. Do not under any circumstances publish how to hack this company on a blog.
If you want to contact the authorities because you think there is a great risk to society, do so anonymously.
IANAL. Good luck.