On Wednesday, the Australian newspaper the Age reported that a 16-year-old named Joshua Rogers had exposed a serious security vulnerability in the Web site of Public Transit Victoria, the agency that manages train, tram and bus services in the Australian state of Victoria. Rogers says he tried to contact PTV officials for more than a week, with no response, before going to the press. According to the Age, PTV had still not responded to Rogers on Wednesday but had "referred the matter to Victoria Police." We spoke with Rogers by phone Thursday morning here on the East Coast, which happened to be around 3 a.m. Friday in Australia. The transcript has been edited for length and clarity.
How did you discover the flaw in the Public Transit Victoria Web site?
I stumbled on a page that had a MySQL error. Instinctively, from my history of this stuff, I knew what it was and how it worked. And figured out how to use it to get access to the server. It was an SQL injection [vulnerability].
[Editor's note: SQL is a programming language for querying databases. In an SQL injection attack, a Web site fails to properly validate information submitted by the user. The user submits cleverly formatted data that causes the database to interpret it as a sequence of SQL commands to the database rather than data to store in the database. Those commands can instruct the database to disclose private information, add or delete information in the database, and much more.]
What did you do next?
I took a look at the names of all the databases. I looked at the table names, the column names. In each database that looked interesting, I grabbed two to three results from each column, just to see what there was. One of the databases, named Store, had first names, last names, e-mails, addresses, phone numbers, even dates of birth. And in another database, there were credit card numbers, I believe nine digits, with expiry dates, names, and that could all be linked up to the other database, which had the e-mail addresses etc.
That information could be really useful to someone engaging in identity theft, right?
They couldn't be used for fraud by themselves, but they're only missing three digits. [Criminals] could call up these people, claim that it's their bank and need to reset their password to gain access or send money. Obviously, with date of birth, e-mail, phone number [they could pose as the customer]. There were probably passwords in there.
Then you tried to alert PTV to the problem, right?
I found all of the e-mails [of PTV employees], not through the database, but through LinkedIn, and I contacted all the employees through their work e-mails, which are formatted [in a standard way]. So from there I contacted them [on Dec. 26], let them know that there was this vulnerability. There was no response at all from any of them. Based on what I saw, they completely ignored it. They were uninterested. It wasn't a surprise to me.
[After several days with no response], I contacted [Age transport reporter] Adam Carey because I'd seen an article about previous fraud stuff he'd done with the public train authority in Victoria. And he then contacted PTV on, I believe, Monday, Dec. 6. Something like 30 minutes after he contacted them, they responded to my e-mail saying: "Thank you for this we're looking into it. If you have any other concerns let us know."
But there was no public announcement from them. Nothing to tell their customers that their data may have been compromised by other people. Then the story was run on Jan. 8. I believe on the 9th, PTV contacted Carey to say that they've contacted the police.
So the first time you heard about being reported to the police was through Carey?
The only thing I've heard is through the newspaper. I haven't been informed that I've been reported to the police.
Just to set the record straight, did you do anything with the information you obtained from the PTV Web site? Do you still have it?
I deleted the information instantly just because what am I going to do with it? Call up 600,000 people?
I gather you don't think PTV handled the incident very well. What would be a better way for companies to handle security reports like yours?
It's not surprising that this happens. Companies have a reputation they need to keep, so they'll deter people like myself from going public by reporting us to the police just so their reputation is upheld. But the fact of the matter is that if there aren't people like me doing this type of stuff, which there are a lot of us, the real bad guys will gain access.
I think a lot of these companies are also just scared of someone contacting them saying they'll be hacked. The first real [response] is to go into panic mode. The responsible thing is to converse with the reporter about the vulnerability, thank them for their work, and really be responsible.
And fix the problem, right?
Tell me about yourself. How did you get interested in this kind of computer security research?
I'm 16, just a school kid on holiday. An average nerd. I'm interested in cybersecurity and security in general, computers, coding, all of that stuff. I have a background in mathematics that kind of helps.
It probably originally happened when I myself got hacked through a phishing Web site, learning how that works and progressing to the coding part, and then learning about buffer overflows. I really didn't think about it seriously until I learned how to program.