Off topic - legal UK security ...

In the end the guy is liable, its his business, he in turn could sue the
developers, but the buck starts (and maybe stops with) him.

Are you saying the control panel isn't password protected?

For a start as well, the credit card numbers should at least be encrypted.

I`d let the guy know, as at the least it will ruin his reputation if hackers
got hold of the data, as the banks take it seriously, and i`m sure it would
be traced back to him. Im sure he'd be breaking some law with this, probably
the data protection act. Even if you don't care about him, morally I`d be
worried for all the people who have the card numbers in his database.

In the end its down to how you feel. If it was me, and was friendly with the
bloke, i`d tell him. If he was an arsehole, I`d report it to the his payment
provider, I would do something about it however, as if the same thing
happened to a database my credit card details were in, I`d hope someone
would do the same.

--
Gareth
http://www.phploginsuite.co.uk/
PHP Login Suite V2 - 34 Server Behaviors to build a complete Login system.

Gerry wrote:

>
> Just found that an old client of mine had a new site done by a firm
> of web designers, ( he has asked me for some advice on it SEO etc...)
> anyhow, I looked and I can 'guess' the control panel URL, and click
> into it looking at the various creditcard numbers... in the past i
> have been a little paranoid about this, knowing the sheer amount of
> CC fraud out there ... suffice to say, what should i tell the guy,
> how responsible is he ? or is the web firm ? or is he not liable if
> someone hacks (guesses) the url ?
>
> Cheers Gerry

Are you saying you can just breeze in there and see everything?


If so I's shut the thing down immediately and start suing the
developers . . . .

--
Buzby
There's nothing more dangerous than a resourceful idiot

Good relation, although he did choose someone else to do this site partly
because I said I wouldn;t have time ... and partly because he said it was
free (funny, it seemed the expensive type of free)

Cool, I will drop him an email when I have finished off some work for him
...
G

"Joe Makowiec" <makowiec@invalid.invalid> wrote in message
news:Xns98DAC082994DEmakowiecatnycapdotrE@216.104.212.96...
> On 17 Feb 2007 in macromedia.dreamweaver.appdev, Gerry wrote:
>
>> Just found that an old client of mine had a new site done by a firm
>> of web designers, ( he has asked me for some advice on it SEO
>> etc...) anyhow, I looked and I can 'guess' the control panel URL,
>> and click into it looking at the various creditcard numbers... in
>> the past i have been a little paranoid about this, knowing the sheer
>> amount of CC fraud out there ... suffice to say, what should i tell
>> the guy, how responsible is he ? or is the web firm ? or is he not
>> liable if someone hacks (guesses) the url ?
>
> It depends on the jurisdiction. And who the attorneys go after. But
> I'd guess that a smart barrister could pay for a few weeks vacation in
> a warm, sunny place on that one. And I'd guess that the company, the
> developer AND the hosting provider would all carry a portion of the
> liability. And it would be huge, because the attorneys involved would
> be the ones for the banks who get stuck with the bill for the
> fraudulent usage.
>
> Whether to inform them? (This sounds like one for the ethicist.) Are
> you still on good terms? Expect repeat business? I suspect that I
> might contact an attorney first to see what the potential exposure is,
> and point that out to them at the same time.
>
> IMHO, yes, you should inform everybody involved.
>
> --
> Joe Makowiec
> http://makowiec.net/
> Email: http://makowiec.net/email.php

On 17 Feb 2007 in macromedia.dreamweaver.appdev, Gerry wrote:

> Just found that an old client of mine had a new site done by a firm
> of web designers, ( he has asked me for some advice on it SEO
> etc...) anyhow, I looked and I can 'guess' the control panel URL,
> and click into it looking at the various creditcard numbers... in
> the past i have been a little paranoid about this, knowing the sheer
> amount of CC fraud out there ... suffice to say, what should i tell
> the guy, how responsible is he ? or is the web firm ? or is he not
> liable if someone hacks (guesses) the url ?

It depends on the jurisdiction. And who the attorneys go after. But
I'd guess that a smart barrister could pay for a few weeks vacation in
a warm, sunny place on that one. And I'd guess that the company, the
developer AND the hosting provider would all carry a portion of the
liability. And it would be huge, because the attorneys involved would
be the ones for the banks who get stuck with the bill for the
fraudulent usage.

Whether to inform them? (This sounds like one for the ethicist.) Are
you still on good terms? Expect repeat business? I suspect that I
might contact an attorney first to see what the potential exposure is,
and point that out to them at the same time.

IMHO, yes, you should inform everybody involved.

--
Joe Makowiec
http://makowiec.net/
Email: http://makowiec.net/email.php