"The state’s goal is for citizens to lose one million pounds, and httpx://sanyuwu.com/index.php?top-lesbian-dating-sites-pii the website even suggests ways to get the family dog involved. Trainers and nutritionists will be"
Whats fascinating to me is that the content seems to have been removed from most of these pages. Some staff member is likely manually deleting them and didn't think to escalate the situation
Asking because I had multiple bad experiences with responsible disclosure, yet I do not believe full (public presumably) disclosure is the right initial path.
"Responsible" disclosure at best results in an embargo where "trusted" parties get to sit on it while the general public remains at risk. Worst case you get the cops knocking at your door.
(Full disclosure should be done anonymously to prevent the latter from happening anyway)
Let's say hypothetically someone found this hacked website, sent an e-mail to the site owners' security reporting contact, and after a year they hadn't taken any action.
Some would say a "responsible" disclosure which allows the danger to continue unabated for a year is a greater danger than a public disclosure, which would lead to the danger being fixed.
That is one hypothetical scenario, yes. Another hypothetical scenario is that as a result of responsible disclosure the site owners patch the hole and ensure customer data isn't publicly accessible before the vulnerability is public knowledge.
Seems reckless to me to not even _try_ responsible disclosure. You don't have to wait a year. But at least give a chance for the problem to be solved before you make it common knowledge.
Responsible disclosure creates a ton of perverse incentives for all parties and ultimately leaves customers worse-off. Bug bounty programs and all of the drama and exploitative labor issues fall into this pit.
Full disclosure might have short-term negatives for _companies_ involved but is best for customers/users as it allows them to evaluate and implement their own mitigations as early as possible. It's the only truly ethically consistent way to operate.
This really sounds like you’re back-solving from a pre-existing ideology of complete openness. A customer’s ability act early, e.g. mitigate, is quite clearly context-dependent. I can think of vendors I interface with as a customer that I’d prefer had vulnerabilities ‘responsibly disclosed’ to them. Nothing in technology is this simple. The absolute nature of your claims make it near impossible to actually take this seriously.
Clicking the link from the google search results continues to work, I just tested it on my phone. Visiting the page directly continues to redirect for me
If you think the site is still serving the redirects I’m going to make a phone call to a publicly available number of some Cyber Crime division for Georgia’s GBI.
Worked for me with no changing of any referrer or other HTTP settings. Clicking on the first georgia.gov resulted redirected me to the spam site. (Win11 + Chrome)
referrer google or user agent google bot is a great way to have google specific shenanigans to rank higher in search.
Google says it's against their policy but plenty of sites do that. Plenty of sites let their paywalls down just for GoogleBot to the ranked in search but real users have to pay.
Some sites don't load ad crap to show GoogleBot how fast they are.
What? I have proof it’s not dynamically generated. The rest of the website is powered by Wordpress, but this redirect is entirely powered by Apache. If users can do that, that’s absolutely a problem.
And it absolutely is still there. I’ve clicked the links on a multitude of different browsers, and they continue to work. One comment lead me to discover that it only works if you are referred by google.com: https://shottr.cc/s/1CXn/SCR-20240426-cm4.png
You’re the one who needs to get over yourself. A government website acting as referral spam for over a year is absolutely noteworthy
Assuming you've breached WordPress, and can run arbitrary php, you can produce that kind of result. I think that path is more likely/common.
"The state’s goal is for citizens to lose one million pounds, and httpx://sanyuwu.com/index.php?top-lesbian-dating-sites-pii the website even suggests ways to get the family dog involved. Trainers and nutritionists will be"
Bottom of this page: https://team.georgia.gov/georgia-news/state-parks-fitness-ch...
And this query: https://www.google.com/search?q=site%3Ateam.georgia.gov+viag...
[1] https://oawp.va.gov/forums/general-discussion
At least this time, it appears to just be a user on some forum, as opposed to something cooked directly into the server
Was this reported to the site owners (https://gema.georgia.gov/get-involved/report-cybersecurity-e...) and appropriate government law enforcement agencies (https://www.cisa.gov/report)?
I do see a call to share other incidents to the blog owner.
Edit: and I’m not sure standard disclosure even applies. I’m just talking about IOCs, not the actual attack vector (which I do not know)
"Responsible" disclosure is anything but.
Asking because I had multiple bad experiences with responsible disclosure, yet I do not believe full (public presumably) disclosure is the right initial path.
(Full disclosure should be done anonymously to prevent the latter from happening anyway)
Some would say a "responsible" disclosure which allows the danger to continue unabated for a year is a greater danger than a public disclosure, which would lead to the danger being fixed.
Seems reckless to me to not even _try_ responsible disclosure. You don't have to wait a year. But at least give a chance for the problem to be solved before you make it common knowledge.
:)
[1] https://news.ycombinator.com/item?id=40169334
It's the 90% of the time, when it doesn't work, that's the problem.
Full disclosure might have short-term negatives for _companies_ involved but is best for customers/users as it allows them to evaluate and implement their own mitigations as early as possible. It's the only truly ethically consistent way to operate.
One can see the results by searching google for the domain and the "gold" string from the article.
Google says it's against their policy but plenty of sites do that. Plenty of sites let their paywalls down just for GoogleBot to the ranked in search but real users have to pay.
Some sites don't load ad crap to show GoogleBot how fast they are.
We should all become GoogleBot.
And it absolutely is still there. I’ve clicked the links on a multitude of different browsers, and they continue to work. One comment lead me to discover that it only works if you are referred by google.com: https://shottr.cc/s/1CXn/SCR-20240426-cm4.png
You’re the one who needs to get over yourself. A government website acting as referral spam for over a year is absolutely noteworthy
IMO seems borderline on flag-worthy.