We're only trying to help

One of my pet hates is the website with no clear route for feedback. About once a day I find some irritating or downright broken "feature" of a website, whether it's the incessant "We'd like you to complete a quick survey" popups, or the complete failure to provide a clear process for reporting broken links (the best case being a major media company whose "report a broken link" link was itself broken when I tried it).

There is seldom a clear route for reporting such problems, and even if you find a way, a response is the exception rather than the rule. This should be a concern for site owners as well as intolerant users such as myself. If you don't make it easy for visitors to your site to report problems, you're removing a huge group of unpaid testers who would otherwise improve the quality of the site.

It's not just websites either. It seems increasingly rare these days to find a site that accepts mail to the "postmaster", yet this is a mandated requirement of the relevant RFC standard. Yes, I know it's a target for spammers, but there are plenty of good anti-spam solutions around.

Default addresses for reporting service abuse are also becoming hard to find, and when you do send mail to one, chances are all you'll get back is a form-letter reply. On occasion I've had to trace ownership of the host and call one of the directors; a real pain but an effective way of reorganising the IT department's "to do" list.

Given the high profile that security on the internet has, you'd think that companies would make it easy to report security problems. Indeed, most software vendors have a published address to contact and in general the mail gets through to someone who has a fair understanding of the risks involved.

Unfortunately back in the "real" business world things are less well organised.

Take banks, for example. Online banking has been the victim of significant fraud over the past few years and is certainly high profile. So, when about a year ago I came across a newsgroup posting about a problem with a UK bank's website, I decided to investigate.

Sure enough, the problem was real. Because the bank used a dumb script to redirect links, you could have a link that started www.bigbank.co.uk that would actually end up on a completely different site. While hardly a "showstopper" threat, this would make fraud a lot easier and is easy to fix. Simply apply least privilege; the script should only accept links that are known to be valid, not arbitrary user input.

So with my shiniest white hat on, I penned a suitably technical description of the problem, along with recommended solutions, and sent it to the security contact. Or rather, I would have, had there been one. The first obstacle was finding a way for a non-customer to report a problem. My first attempt elicited a "do not reply" response with a patronising guide to email fraud attached (step one, don't bank with us).

The next attempt got bounced back with a suggestion I should contact someone in customer services by phone (of course, when I am providing free security consultancy, sitting on hold for 20 minutes is top of my wish list). I tried a third address and got no response at all.

So I went down a less direct route, via personal contacts. Serendipitously one of my colleagues had a friend on the bank's web team. He thanked me for the report and muttered something about "not having time to test things properly". Still nothing.

So I gave up. It actually took the best part of a year before the problem was fixed, and I would be prepared to bet that, if I spent an hour or so on the site, I'd find a similar problem. I haven't named the bank as, to be fair, I don't know how bad the rest of them are.

Capturing user feedback is an essential process for any business. Providing a simple, effective and acknowledged route for security reports is an essential feature for any commercial site, especially those trying to improve their market reputation for security.

- Nick Barron is a security consultant. He can be contacted at nikb@virus.org.