Matasano Chargen » Blog Archive » Vulnerability Reporting in a Web 2.0 World

Vulnerability Reporting in a Web 2.0 World

Dave G. | May 25th, 2007 | Filed Under: Disclosure

I reported a vulnerability on a website developed by a popular Web 2.0 company. As it happens, we are a paying customer, so I really want them to take it seriously.

I will now post an anonymized version of the conversation:

Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.

They reply:

Thanks for the tip, David. It’s been noted.

I reply:

Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?

They reply:

Hi David,

We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.

I reply:

How will I know when this vulnerability is fixed?

They reply:

Actually, they don’t reply at all.

Viewing 14 Comments

Daniel 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Web 2.0 + Security was like DotCom + Logic, they aren't mean't to be :)

reply edit reblog flag

http://danielcuthbert.com

chrisw 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

What we need is disclosure 2.0 guidelines for web 2.0 software. Dave did the right thing by informing the software company. The software company did the wrong thing by treating this as a bug. Perhaps there should be a "hall of web 2.0 shame" for companies that don't fix vulnerabilities reported to them in a timely way.

Perhaps we need a place where researchers like Dave can submit a posting saying they have informed Vendor X of Vulnerability Y on Date Z with CVSS score of A. Then Vendor X can get this taken off the list by saying they fixed it. If it wasn't really fixed Dave can inform the list and it goes back on. Use web 2.0 to police web 2.0.

-Chris

reply edit reblog flag

magnus 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

At least they didn't take you to court... yet. ;-)

reply edit reblog flag

http://therning.org/magnus/

Jordan Wiens 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I notified a website back in October that they had multiple serious security flaws. Including some really stupid ones -- among them, "authentication" resulted in you getting a cookie set to your username -- change the cookie, become another user.

Their response was along the lines of "oops, yeah, we should totally fix that!". I followed up two months later, never heard back and forgot about it until now. Checked again, and they're still vulnerable.

*sigh*

reply edit reblog flag

Dan Weber 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Unlike software companies, I'm really paranoid about reporting vulnerabilities to websites. The best you can reasonably hope for is that they won't try to sue. :(

This is maybe about where software companies were 15 or 20 years ago.

reply edit reblog flag

Thomas Ptacek 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

This company didn't treat the vuln report as a bug. They treated it as a FEATURE REQUEST.

reply edit reblog flag

http://www.matasano.com/log

dre 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

secure software contracts annexes based on owasp/mitre/wasc/samate/sans-ssi (probably in that order) certifications are the future of web 2.0 b2b.

unfortunately, only sans-ssi exists right now, although owasp has this:
http://www.owasp.org/index.php/OWASP_Secure_Sof...
and mark curphey got like $200k to work on a project called "owasp ceritification" a few weeks ago which he claims will replace pci. pci-dss and texas are going to hell in a handbasket as they well should.

i talked about this at chisec last night

reply edit reblog flag

LonerVamp 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I think some Web 2.0 companies have not transitioned internally from being short-sighted to longer-sighted. In the short term, unless you're actually selling security, the impetus is to get the product viable and functional. Security just can't be a cost or detractor from that. Longer-term, devels can start thinking about security and doing things the right way, once a little bit more of their future is "secured." (Pun intended!)

Others just like to build things...maintenance (and beefing up security) are sometimes not what they want to do. :\

Not saying that's right, but...damnit... :)

reply edit reblog flag

http://www.terminal23.net

Ryan Russell 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Those of us who tend a little more towards the punitive end of the spectrum would tend to say that at this point, you name the company (if not the vuln.)

Yay! Free education for everybody...

(Or perhaps in your subtlety, you're going to point them at this entry and ask nicely one more time... if so, where's the hash of your advisory?)

reply edit reblog flag

http://ryanlrussell.blogspot.com/

Thomas Ptacek 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

They could get vindictive and kick us off their application! No thanks!

reply edit reblog flag

http://www.matasano.com/log

Ryan Russell 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Picking functionality over security there, Tom? ;)

reply edit reblog flag

http://ryanlrussell.blogspot.com/

stacy 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

So maybe you should "vote with your wallet" and look for an alternative application.

If you don't consider the vulnerability serious enough to not use the application, why should they think it is serious enough to expend resources to fix?

reply edit reblog flag

Dave G. 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

stacy:

In this situation, I dont think the cost of one customer is going to motivate anyone. Besides, not using products and services everytime there is a security issue that isn't resolved to my satisfaction would basically cause me to stop using computers. :)

reply edit reblog flag

http://www.matasano.com/log

Money and lawyers 2 år dage siden 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Try contacting their funding source or, better yet, their lawyers. These days, those folks understand the words "risk to brand", etc.

reply edit reblog flag

Vulnerability Reporting in a Web 2.0 World

Add New Comment

Viewing 14 Comments

Add New Comment

Trackbacks

People We Read

Things We Write

RSS Feed

Archives