Are security flaws acceptable if not much harm can derive from them?

Yes. This is a problem - a big problem. Lately I found a design flaw in a business' webshop that allowed me to insert innocent notes in other visitors' charts.

Seems innocent, and only annoying, until I looked further and found that I was also able to insert Javascript code (XSS) into those notes. So in other words, I could exploit XSS on every visitor's chart. I made a quick PoC showing them how I could easily hack the computer of any visitor (in this case myself, it was a PoC) using that design flaw, XSS, BeEF, and Metasploit.

So even the smallest flaw may result in a big risk after all.

Besides that, who says that the error you found is the only one the developer of that website made? Maybe he also made tons of other mistakes.

Reporting would be the best you could do - even if it looks unnecessary.


Your question is: Are security flaws acceptable if no much harm can derive from them?

The answer is yes, if decided by business while understanding the consequences.

What you are doing is called a risk assessment. For each risk you must highlight the consequences for your company when it is instantiated. Based on that assessment you (you = someone who has the power to make the business decision) have three choices:

  • you can accept it - by assuming that the costs of fixing it are not worth the consequences
  • you can mitigate it: fix it to the point where you can accept the consequences
  • you can insure against it - effectively offloading the risk to someone else.

As you can imagine, there are several hot areas in a risk assessment.

The first one is the assessment of the consequences and the probability. There are numerous books and articles about how to do that, at the end of the day this is based on vigorous hand waving and experience. The output is never like the one in the books

we have a 76% probability of this happening, which will cost us 126,653 €

but rather

well, I feel that this is a risk we should take care of

Note that the "consequences" part may sometimes be quantifiable (loss of profit for online commerce for instance) but usually are not (loss of image for your company for instance).

Beside the dubious theoretical aspects of risk assessments there is one huge advantage you should always take advantage of: you put a risk on the table and it must be dealt with somehow.

This is not only a place-where-the-back-loses-its-noble-name--coverer, it is the right tool to highlight where information security efforts should go to. It also raises your visibility (there are not so many proactive cases where you can raise your visibility) and forces you to take a hard, deep, pragmatic look on what is important and what is not.


The problem that I see with such a simple password reset scheme is that it suggests further vulnerabilities in the platform. A flawed concept of security is rarely so isolated as to only happen once, since such flaws are usually related to a developer's practices regarding security. At minimum, I'd suspect that their internal login procedures might also be susceptible to the same flaw, potentially allowing attackers to access databases, code, and processes they shouldn't normally have access to.

From there, it might be possible to modify the server's code to report cleartext passwords, or glean additional private information, and possibly allow attacks on further systems. After all, even though this is 2016, there are still many people out there that still use the same password for their bank accounts as they Facebook, despite the obvious risks associated with doing so. Even if not, being able to associate a nickname with an email address might put other accounts the user has at risk as well; the more information an attacker knows about a user account, the more they can leverage trying to subvert other accounts owned by the same person.

At minimum, I'd suggest you contact the site owner and see if they'll fix the problem, and if not, consider not using their application unless absolutely vital. I'd also recommend changing your email on the user account to a throw-away account that's not connected to an email address that you care about. We're no longer in an age where we can assume apparently minor flaws won't come back to haunt us later.