Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Maybe found huge security problem, unsure what to do
80 points by sah88 on Nov 8, 2014 | hide | past | favorite | 46 comments
Let me just start off saying I'm 100% amateur and I don't really know that much so I could be all wrong.

I was browsing the website and got redirected to a random URL. Tracing the requests back I found that the redirect was caused by improperly sanitized html. The exploit more or less gives you an iframe worth of functionality. This allows for very sophisticated phishing.

Firefox is not vulnerable to this (You might be able to guess what the vuln is from that).

Now this actually pales in comparison to the 2nd exploit I found. I'm significantly less sure this works but I'm still pretty sure it will. I have only tested it out on the preview mode and not published.

The preview mode DOES sanitize(hits their server and comes back, basic stuff like <script> gets cleaned up). It just doesn't do a very good job at it. Now, they could have 2 different checks, one being more secure when publishing but this seems unlikely. I'm not really familiar with the applicable laws so I'm not willing to actually publish an attack to test.

The 2nd exploit allows me pretty much free reign on their page. More or less it lets you execute whatever javascript you want.

I have sent the company 2x messages through a form they have for reporting securities vulnerabilities. However I'm not even sure that they got through as I never received a confirmation email (it said one would be sent).

I tried calling as well but I just discovered it last night and I haven't gotten through to anyone who knows anything.

My conundrum is this is an EXTREMELY popular website. Top 100 on Alexa, 30bn+ market cap. If this vulnerability is actually real I'm not sure I'm comfortable sitting on the information for a prolonged period of time considering how easy it would be to exploit.

In the meantime I'm going to continue to try and contact the company but I'm not really sure what my next steps should be otherwise.




With all due respect, most of the replies here are missing the most important point.

Does the company have a bug bounty policy?

No?

Then keep your mouth shut and get on with your life.

A significant percentage of people in power will react to unsolicited warnings of security vulnerabilities by attacking you as though you were their enemy. Worse, the law is at least not clearly on your side. This is not theoretical: people have come to significant harm in this way. Being a hero is great. Being a martyr? Not so much. You don't want next week's top HN story to be an appeal for donations to the legal defense fund of sah88.


The answer is not "sweep the problem under the rug", but rather "tell people who know what theyre doing". The idea of "oh lets just pretend this security hole doesnt exist" makes me cringe.

As JCR wrote: "The safe and sane approach is to contact CERT [3,4] through their vulnerability reporting page [5] and let them contact the vendor."

[4] https://www.cert.org

[5] http://www.kb.cert.org/vuls/html/report-a-vulnerability/


If that idea makes you cringe, you should work to change our politicians because that is how the law is written. Any unauthorized access, even if the initial probe was accidental, is against the law and with the way security break-ins hurt company stock prices these days, you can be damn sure someone will come after you if it gets out, even if you weren't the one to release it.

All-in-all, don't tell people unless you have explicit, written proof of the companies consent to pentest their application because its simply not worth risking your entire life because someone in power's day is ruined by your curiosity.


This cannot be emphasized enough.

Just keep your mouth shut or you will quite likely be sued. The only thing you should do is simply not just trust that particular company with your data anymore.

If the risk to public good is great enough and the bug simply must be revealed then it should be done anonymously and with full disclosure. Contacting the company will only give your address to them.


How about passing the information to someone like the EFF and let them inform the owners?

The OP said he used a form for reporting security vulnerabilities on the site. Does he still have to be afraid to get sued in such a case?


The EFF exists to influence court cases that are likely to set a precedent.

They are not a general 'help everyone' organization for people who get into technological legal trouble- the closest they come is having a list of law firms they refer uninteresting legal business to.


That's why I wrote "like the EFF". I figured, when you life in a country where you actually can get sued for things like that, there must/should be an organisation or site one can use as a middleman. I wasn't aware of CERT.

I'm still wondering if it has any legal influence in the US when a site provides a form for reporting vulnerabilities.


I think the CERT would be a better idea.


What would happen if sah88 were to realise the site's name, but not the details, to warn other people to also not trust this company. Is this grounds for defamation or something like that?


Defamation/libel/etc. is only when you claim something false to be a fact.


Is there an anonymous means by which this can be done?


Depends on the country. In UK truth is no defense for libel.

Also if you are sued for libel in US and prove that they indeed have a security hole that gives them the evidence directly to sue you for 'hacking' their site.


> In UK truth is no defense for libel.

What?

http://www.senseaboutscience.org/data/files/A_quick_guide_to...

> Justification: a defendant must show that the substance and fact of what they have written is true. However, a judge decides what the words meant, and therefore what a defendant must prove to be true – sometimes not what a defendant expects.

http://en.wikipedia.org/wiki/English_defamation_law

> Allowable defences are justification (i.e. the truth of the statement),

Edit:

http://en.wikipedia.org/wiki/Defamation_Act_2013

> and introducing new statutory defences of truth, honest opinion, and 'publication on a matter of public interest' or privileged publications (including peer reviewed scientific journals),


US courts (at a state level) have occasionally ruled similarly, it is a worrying trend.

> The court ruled in the case of Noonan v. Staples that truth published with “actual malice” gleaned from the context of the statement can give rise to a libel lawsuit.

http://itlaw.wikia.com/wiki/Noonan_v._Staples


I agree. If it doesn't impact you, turn around and walk away. If you do want to make a difference, sell the exploit to the chinese. You'll still be arrested and charged for hacking, but at least you'll have made some money and made the exploit visible.


Yeah. People don't like this answer because it's so obviously suboptimal in technical and security terms, but you're absolutely right. There's no upside to disclosure and only downside. If they don't welcome disclosures, beware.


When it comes to vulnerability reporting and/or disclosure, there are two schools of thought; "responsible disclosure" and "full disclosure". Unfortunately, what "full disclosure" and "responsible disclosure" actually mean can vary a whole lot. For example, some define "full disclosure" as immediately publishing/disclosing the vulnerability and/or with working exploit code, but more level-headed folks define "full disclosure" as trying to contact the vendor and giving them at least 5 days to respond before publicly disclosing any information [1].

The safe and sane approach is to contact CERT [3,4] through their vulnerability reporting page [5] and let them contact the vendor. If you're curious, the CERT disclosure policy is good reading [6].

[1] http://www.wiretrip.net/p/libwhisker.html

[2] http://www.cert.org/vulnerability-analysis/vul-disclosure.cf...

[3] https://www.us-cert.gov

[4] https://www.cert.org

[5] http://www.kb.cert.org/vuls/html/report-a-vulnerability/

[6] https://www.cert.org/vulnerability-analysis/vul-disclosure.c...


Thank you so much for this. (xpto123 as well).

I tried calling but just got bounced around and I'm not sure anyone actually understood/cared. I've got a nice early season cold going so not really interested in sitting on the phone for hours so I've given up on that.

I'm going to email blast as many of the emails I can get and if I don't hear anything back from them by Monday I'll pass it onto CERT.


1) Be careful, people who submit proof-of-concept exploits to websites have been arrested for circumventing digital security measures.

2) It's HIGHLY unlikely that you are the first person to discover this, especially if it's a top 100 site. Those sites are constantly probed by attackers looking for exploits precicely because they are so valuable. Something like XSS due to unsanitized input would he found quickly as there are automated tools that do exactly that. Just report it to CERT, as suggested.

3) You may have hit a honeypot.


A couple of years ago in Australia a security consultant noticed that firststatesuper.com.au had a gaping security hole in that he could manually change an ID in the URL and gain access to other users' account information.

He kindly notified First State like any good samaritan, and so what do First State do in return? Disable his account, report the "offence" to the police, demand that their IT dept examine his computer, demanded that he sign a letter to admit liability and threaten to pursue any costs related to the matter.

Luckily the Police had more common sense, realised what had actually happened and decided not to take any action.

Reference: http://www.theage.com.au/technology/security/super-bad-first...


The same thing happened this year with a teenager who found a SQL injection in the Victorian public transport website: http://www.pcworld.idg.com.au/article/549362/australian_teen...

He disclosed to the organisation who then set the police onto him. Luckily he got off with a warning from police, but that's after having equipment seized etc.


I'll add to this. Be careful in the future. You stated that you are an amateur at this and aren't entirely sure on what to do. That's the quickest way to set yourself up for some long term hurt.

The problem is, when you start poking at server-side flaws as opposed to ones that might exist in applications you run client side like mobile apps, you are entering some very dangerous territory as you are engaged in what is generally considered to be hacking someone else's infrastructure. In the last few years a lot of people in the security community have been probing sites for XSS, SQLi and many other server side vulnerabilities but they are doing so at fairly high risk and as such many use multiple techniques to remain anonymous. All it takes is someone on the receiving end to decide to call the FBI and it doesn't matter how good your intentions were, your life is most likely going to change. I've seen this happen first hand to people I know. One guy I know reported an XSS flaw, offered to help fix it, and was accused of extortion as the receiving company figured his offer to "fix it" came at some cost. Luckily they backed down & he only lost about a weeks worth of pay after being suspended while an investigation took place.


All of this should be done in an anonymous way: I would say just create an anonymous gmail and open an anonymous linkedin account. Hit the same invitation message to a list of persons that work there, and really don't think about it anymore.

The law is not on your side in most countries, there are honest security researchers in jail for doing things like this, so beware of your personal safety at all times.

If you already identified yourself and followed their security submission page and they did not follow up, then its best to leave it at that. Above all don't get in personal trouble because of this, it's not worth it.


I know at least one fellow who's entire group is employed because the company got a phone call from the government that their network was exposed. In that case, it was also known to be actively exploited by a state actor, but the point stands that management takes phone calls from Uncle Sam quite seriously.

If a house is on fire, don't be a hero. Call 911.


Look in linkedin for people working in security for that company, and invite them to connect. In the connection message state directly the problem.

Do this with technical people, but also with it managers from the company and its worth sending it to the CEO.

Explain what are the risks (is it persistent xss visible by other users in a forum etc)

These things are only important until some manager says they are important, so try to explain the business and public image risk of the exploit to a high level manager via linkedin in non technical terms, ideally with a demo. If they forward the email to the it department i bet that then they would act.

Last case if responsible disclosure doesnt work after 3 /6 months: public disclosure via some news site. All of the sudden it gets fixed in two days, they end users end up being better off in the long term.

Unpatched exploits that stay there for years are the bread and butter of hackers, and the short term risk introduced by the public disclosure is compensated by the fact the users get protected in the end.


BTW, the Hacker News team is super-duper grateful to people who report security bugs. Report directly to hn@ycombinator.com.


I'd anonymously email and tell them they had 7 days to acknowledge having received your message. After that they get a month or maybe two to fix it. Then public disclosure. All anonymous over Tor, because you can always attach your name later but you cannot remove it if you already gave it.

Or if they don't respond at all, immediate public disclosure. If that's how they want to play the game, then let's play.

Be wary if they ask for your name straight away because companies have been known to sue.


Security bugs are just bugs. Use your own judgement on reporting. And do not make the mistake of violating the law in attempting to test on remote systems (that you may have limited access rights to).

"So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special."

Linus Torvalds Tue, 15 Jul 2008


You reported it through their security bug reporting form, twice. That's sufficient for now. There are two reasons they may not have acknowledged it.

1. You haven't given them enough time to acknowledge it.

2. They are not acknowledging it to limit their liability. Suppose a black hat subsequently finds it and uses it to cause harm, and a victim sues. The acknowledgement to you could be used as proof that they knew about the bug before it was exploited.

You've done all you should do for now. You should now wait long enough for them to fix it. Take into account that there may be complications you are unaware of due to how their backend works, or due to how their development and testing is done, or how their bureaucracy works, so be generous.

Then check to see if the problem is still there. If it is, then go public anonymously, with just the technical details. Leave out the history of attempting to contact them (it could compromise your anonymity).


In 95% of cases I wouldn't have even posted this. The company is huge though and they do a lot of transactions like ALOT ALOT. The amount of information that could be exposed is a lot higher than your average website.

My problem is really the company should probably have 24/7/365 security support standing by given the industry. I sent in two reports but I never got a confirmation email for either. The original item(to emphasize I never published anything on the site, this item was posted by another user and I was actually interested in purchasing it until I got redirected) which I have reported by phone and by form is still up on their site redirecting users. This one redirect doesn't actually appear malicious though but I have no way of telling how many other items are affected. At some point I feel there is a moral obligation for me to disclose the information which leads me to my second problem.

I have no fucking idea if I'm just overly worried (judging by the comments it would seem so) about the vulnerability. I also have no real idea of how serious it is. But it seems to me that even if a fraction of a fraction of transactions are affected it would still amount to a large amount of stolen information.

What I would really like is for them to email me back and say either "Oh wow yeah thanks for catching that" or "God damn you dumbass, no that's not actually a problem because xyz"


It's always fun to learn the first time how little some big organizations care about security.

I received an offer about 10 years ago, on a Friday evening, to sell me 100k stolen credit cards, and was given a sample of 10k stolen credit cards to show they were serious. I did some checking and determined that samples seemed real.

I called the FBI to report this. They were not interested, and suggested I try the Secret Service. I did, and they were not interested.

I tried a couple major credit card companies. One was not interested. One gave me an email address to forward the sample list and the full list offer to and said someone would look at it Monday morning.


You would be surprised. The BBC has been reporting on a similar XSS vulnerability on over a hundred eBay listings with custom Javascript for months now, to no avail [1,2,3]. I guess people really like their parallax sparkles nowadays.

[1] http://www.bbc.com/news/technology-29310042

[2] http://www.bbc.com/news/technology-29279213

[3] http://www.net-security.org/secworld.php?id=17377


> What I would really like is for them to email me back and say either "Oh wow yeah thanks for catching that" or "God damn you dumbass, no that's not actually a problem because xyz"

They're not going to acknowledge any issue until they've patched it if they're smart.


Always conduct business like this anonymously. Public WiFi, separate browser, pastebin, free email provider, public forum.

Give them 28 days, then pastebin it and stick on reddit.

But now you can't do a thing because they know who you are and will sue you so forget about it and stop using their products.


There's some great advice here. I'd like to add to it from the prospective of the people at the large internet service receiving the disclosure.

Every day they possibly get hundreds of emails to their security@ email address. The vast majority of it breaks down into categories of spam and support requests. Then when you have removed that you are left with a pile of "security disclosures", the vast majority of which are a very poor standard, or generated by some sort of scanner software that's returning garbage results.

After this gets filtered the remainder are legitimate issues that need to be investigated. Bear in mind you might not get one of these for weeks and weeks, but you still have to filter the other hundreds of emails.

For all but the largest internet companies (think apple and google), they can't afford to tend to this filtering process 24/7. So this happens Mon-Fri during business hours, and if it's a legitimate report it will make its way to a security engineer.

So, what am I getting at? You've taken the right steps to report this. What you have described sounds like a vulnerability, who knows how long its been there. Given that and the nature of the vulnerability, the likelihood of this been exploited over the coming days sounds low. So we don't have to go to DEFCON 5 just yet. Don't expect companies to react to these reports within hours or over the weekend, theres just too much noise to make this sort of thing feasible. Please give the company a chance to do their thing, this could take a business day or two, just to get acknowledged. And another couple of days to patch (depending on the technical difficulty).

By the way, this is pretty much outlines the value proposition of the Hacker One service[1] and why companies should use them. As bug bounties become more popular, the long tail of garbage security reports will increase and so will the overhead cost to run one of these programs effectively (quick response times, qualified engineers triaging the inbound queue, etc.).

[1] https://hackerone.com/


I don't know if the timing applies here, but if you starting notification on Friday night...be patient and wait for a business day.


At every IT company I ever worked or friends of me worked there were huge security holes. The common thinking of management is, though, that it's under control. Exposing these holes publicly results in getting fired or maybe even getting sued (because usually job contracts prohibit you from doing something that "harms" the company or its image). I don't think there is much that can be done about it. I certainly wouldn't risk my job, decrease the chance to get a job from other companies and knowing that for all that I could only free the world from one security bug, when million new ones are created daily.


To be clear I don't work for the company. I just happened across it while on their website. More or less I got suspiciously redirected from one of their listings and I started digging from there.


In cases like this I adopted a best effort policy, look for contact information on the site and via google ("company-name security"). If I find a (simple and quick) way to contact the company I send them a simple report. If there is no way or no easy way to contact them, I am done and they get nothing.

You stated that you send them two messages via a form dedicated to reporting securities vulnerabilities and even tried to call them. I think you have done more than enough and can relax and wait. (Don't bombard them with too many emails.)

Some in these comments say that you might get sued. As long as you don't publish or threaten to publish the vulnerability, I don't see that happening (but than again IANAL).

It is always exciting when you find (your first) vulnerabilities on "high value" targets, but in the end of the day a laymen might not realize that most of the websites even in the Top 100 on Alexa have some security problems.

If you personally use the site and fear for your security, you may want to try a bit harder. For example I have tried multiple times to let my bank know about a vulnerability, but never got a satisfactory answer.


Similar to this, I recently found out I could put an iframe in the Dreamhost admin panel if I put it as a TXT record for a domain. It screws up the page, but I'm not sure I can get to actually load the iframe; seems to do a half-job of sanitizing the input. I pulled up the online chat feature and told them about the problem; I don't know if they did anything yet.


Everyone here seems to be saying "oh god, don't do it, CFAA!"

Respectfully, this sort of fear is what holds the Internet back. You are incredibly unlikely to get sued unless: you are threatening to disclose publicly, you intentionally stole data from the site and are storing it now, you threaten to sell said stolen data to a journalist or anyone else, etc.

It costs companies, generally, a lot of money to sue someone. They aren't interested in doing it unless you seriously piss them off or actually cause their business/revenue harm.

If you are not weev, trolling them publicly and saying you'll sell their data, you can likely disclose and be fine. Just be nice about it.

By being nice, I have disclosed hundreds of vulnerabilities over the years, in this manner. Sometimes they even let me write a blog post about it afterward.

If you want, email me and we can discuss in more detail. Email is in my profile.

tl;dr: find someone to contact via LinkedIn or email (CISO or CTO usually works well), be incredibly nice and non-threatening about it, and you'll be fine.


This kind of law is what holds the internet back. Why should I risk bankruptcy, litigation and imprisonment over some intern forgetting to sanitize HTML? Like that never happened before on the internet.

I'm a kind person, but my #1 obligation is to my family, not random internet website users.

Internet can not ever be risk free. You post data online, you can expect a low probability of it getting lost / stolen. You're fine with that, because most data is actually not that private, and because you somehow benefit from posting it online.

Security vulnerability reporting must be risk free, because it's possible for it to be. You just need a proper law.


Just move along and don't use the website. The computer fraud and abuse act is not a joke.


Once you get the bugs fixed, kill the curiosity and disclose the website name. They aren't running their program on BugCrowd or HackerOne, are they?


[flagged]


You should be posting with your main account, you know?


What do you think this site is? Reddit?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: