Australian Patrick Webster noticed that when he logged in to his online account at retirement fund First State Super noticed the URL contained the unique ID for his account.
By tweaking the number in the URL, Webster found that he could access other people’s accounts, so he immediately notified First State Super that their 770,000 account holders were at risk.
Proving that no good deed goes unpunished, Webster soon found himself in hot water with the police on suspicion of hacking into First State Super’s computer systems, say local reports.
Adding insult to injury, the retirement fund suspended Webster’s account, demanded to inspect his computer and said he may be liable for any costs in fixing the breach.
Let the tale of Patrick Webster be a lesson to any well-meaning IT savvy individual who may spot a security flaw in an online service.
Say nothing, do nothing. Otherwise, don’t expect any thanks.