No offense, but I think you're a tad paranoid. If I was a mechanic and I saw someone at a gasstation driving a car that was obviously dangerous because of some kind of bad fixup I would tell him. This is no different, and I don't expect anyone to sue me for that.
Here's the mail I sent:
Hi there,
It appears that you have some pretty severe security problems on your site. This is a heads up so you can get it fixed. I would recommend doing so ASAP.
Your site has been posted to hacker news (which is a friendly programming site for start-up people and nerds) as an example of bad security practices. The link is here: http://news.ycombinator.com/item?id=2383857
It has also been posted to Reddit, which might be more of a problem since that site has a lot of 14 year old bored teens hanging around that know just enough about programming to do a lot of damage... Link: http://www.reddit.com/r/programming/comments/gdviz/how_not_t...
It appears that your site is easy to compromise, which might lead to anything from defacement to someone stealing all your content, usernames, passwords, etc.
I have nothing to do with these postings, I just don't like to see innocent sites get in trouble, hence this mail. Feel free to contact me if you need anything or have questions.
I wouldn't say they were paranoid. A few months back I showed a colleague what looked like the openings of a very serious data leak in a major company's site. He investigated further and then reported it up through the chain of command and then over to the company. At no point did he do anything other than what was done here, as in point out a publicly visible security flaw. He was nearly fired after the company threatened to sue. The company only relented when he agreed to keep quiet and his employers disciplined him. The employers didn't back him up. All this for solely reporting a flaw, absolutely zero use of said flaw.
I've got $10 riding on "they see the word Hacker in 'Hacker News' and start freaking out". :D
Oh, I understand the word hacker in all its culturally and context relevant forms, and you understand the word hacker, but they do not understand the word hacker. :-(
If we, as hackers of the sort that inhabit hacker news, have a post like this on the frontpage and noone cares to actually write them and tell them they have a security problem that may cause them serious damage we don't deserve better.
You're right, getting sued for pointing this out would be absurd. But where you're wrong, is that just might've happened. There are more ridiculous lawsuits out there. There was a story on here a couple of years ago where a US Government real estate web site was using JavaScript for their authentication, with the password stored in plain text. When it was pointed out to them via email, they responded with allegations of computer fraud and threatened to file charges. Obviously they weren't 100% serious and I'm sure nothing official came of it - but yes, people this stupid are that ridiculous.
The Computer Misuse Act 1990 makes no provision for intent (this is partially provided through the Police and Justice Act 2005 amendments). Instead, the act talks about unauthorised access, which is an undefined term.
In fact, a security consultant was convicted[1] for using ../../ in a URL after he thought a site had been hacked.
If you're very lucky, the place you are in won't honor their demands for extradition on the hacking charges.