BREAKING: First State Superannuation threatens researcher

Pension fund engages Minter Ellison...

Australian security researcher Patrick Webster has received a letter from commercial law firm Minter Ellison demanding he turn over his computer to its client First State Superannuation.

The legal threat follows Webster's disclosure of a serious and trivially exploitable security vulnerability in First State Superannuation's website to the company in September.

Listen to my interview with First State Superannuation's Chief Executive Michael Dwyer AM here.

The flaw allowed any logged in member to access other member's statements by changing a single digit in their browser's URL bar.

The letter, received today, threatens to pursue Webster for costs incurred "in dealing with this matter" if he does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.

Webster claims he deleted the information in September. He says some member information, around 500 statements, was downloaded to his computer when he tested a bash script that would demonstrate the flaw to the company's IT staff.

He ran it while he made a cup of tea, saw that it worked, deleted the information and sent the script to First State Superannuation's IT staff so they could independently verify the glaring security hole.

You can read the letter here.

Editorialising for a minute, if Webster had planned to do something untoward with the information he obtained in his four minutes of testing, why would he inform the company of their security issue? Why would he now retain the member information he was trying to protect by reporting the bug in the first place?

If he'd found the bug in a Facebook or Google Web application, Webster would have actually received compensation for his time, not reported to the police and threatened.

Now the company is threatening to recoup costs from him if he doesn't allow them to get their grubby, insecure mitts all over his computer. Why not just ask for a signed statutory declaration? Why resort to threats?

The irony here is it's entirely possible that the glaringly obvious, boneheaded direct object reference bug that Webster exposed puts First State Superannuation completely on the wrong side of various compliance regimes and acts, including the Australian Privacy Act which stipulates organisations must take reasonable steps to secure personal information.