Hi Dominic,
As per our discussion earlier, we have complied with your request to opt you out of the [redacted] database. We investigated your case and the following report was generated by our technical team which has in turn revealed the nature of the problems you experienced, as mentioned we are very proactive with regards to SPAM complaints, and since we have never had a complaint of this nature before we were concerned that we had developed a bug in the system so to speak. As you will be able to see from the report below, we have identified the reasons for the problems, and as a result of the investigation it has in fact raised questions about your access to the system.
Report back: The subscriber tried a SQL inject on his record, this created an invalid user record field thus when trying to opt out the record updating failed because of this. Unfortunately the Opt out process could not be completed when then user record was supposed to be updated. Please refer to the user information below
[table details redacted to protect the innocent]
The "' or 1==1;--" in the firstname field is where the injection was used. This was done on 2008/08/21 04:48:31 PM
The nature of the SQL injection that was used was to try and gain access to alter information in the [redacted] database. With this in mind we could therefore from our own side open up a case against this contact. If he/she would have been successful in the attempt, the integrity of other Users could also have been in doubt. We have manually Opted the user out of the [redacted] Opt-In base and blacklisted the number for all [redacted] sites that we control.
I trust that this resolves your query, and confirms that we have opted you out of the service and any related [redacted] service. If you have any further queries please feel free to contact me directly.
Kind regards
[names redacted]
Pie-on-face.
I didn't know the string had cause any abnormal activity, and hence didn't mention it to them as I usually would when I find these things. I replied with a thanks, an apology, and a warning that they should get a security person to address their SQLi flaws before one of the automated SQLi's does it for them.
The more interesting question though is, have I really done anything wrong? I potentially entered my name as ' or 1==1--, nothing more, nothing less. I also had a legitimate intent to use the service. An innocent n00b could have done the same or similar by chance, although the chances are much less likely, and I would think that they wouldn't be in trouble. It would seem intent and foreknowledge comes into it. I possibly knew what could happen, and I possibly did it on purpose, where as a n00b wouldn't. But, if intent comes into it, the full scope needs to come in too, my knowledge would have allowed me to use a benign string that wouldn't damage anything on their systems, and I always report these things when I find them. Hence, my intent was most likely to make the intertubes a safer place. Right, so if your intent was good but you still do something bad, then potentially you should be punished. However, in this case, did I do anything bad? The only person adversely affected was myself (and with a minor irritation at that), and the provider gets to patch a hole before it was seriously 'sploited (hopefully). Also, I am a member of ' or 1==1--, which should allow me to type my affiliations name without fear or prejudice. What do you think?
P.S. The discussions in this post are hypothetical and of theoretical interest, they do not constitute an admission of guilt or a claim to have performed any actions mentioned.
:)