Ask HN: Maybe found huge security problem, unsure what to do

80 点作者 sah88超过 10 年前

Let me just start off saying I'm 100% amateur and I don't really know that much so I could be all wrong.I was browsing the website and got redirected to a random URL. Tracing the requests back I found that the redirect was caused by improperly sanitized html. The exploit more or less gives you an iframe worth of functionality. This allows for very sophisticated phishing.Firefox is not vulnerable to this (You might be able to guess what the vuln is from that).Now this actually pales in comparison to the 2nd exploit I found. I'm significantly less sure this works but I'm still pretty sure it will. I have only tested it out on the preview mode and not published.The preview mode DOES sanitize(hits their server and comes back, basic stuff like <script> gets cleaned up). It just doesn't do a very good job at it. Now, they could have 2 different checks, one being more secure when publishing but this seems unlikely. I'm not really familiar with the applicable laws so I'm not willing to actually publish an attack to test.The 2nd exploit allows me pretty much free reign on their page. More or less it lets you execute whatever javascript you want.I have sent the company 2x messages through a form they have for reporting securities vulnerabilities. However I'm not even sure that they got through as I never received a confirmation email (it said one would be sent).I tried calling as well but I just discovered it last night and I haven't gotten through to anyone who knows anything.My conundrum is this is an EXTREMELY popular website. Top 100 on Alexa, 30bn+ market cap. If this vulnerability is actually real I'm not sure I'm comfortable sitting on the information for a prolonged period of time considering how easy it would be to exploit.In the meantime I'm going to continue to try and contact the company but I'm not really sure what my next steps should be otherwise.

16 条评论

rwallace超过 10 年前

With all due respect, most of the replies here are missing the most important point.Does the company have a bug bounty policy?No?Then keep your mouth shut and get on with your life.A significant percentage of people in power will react to unsolicited warnings of security vulnerabilities by attacking you as though you were their enemy. Worse, the law is at least not clearly on your side. This is not theoretical: people have come to significant harm in this way. Being a hero is great. Being a martyr? Not so much. You don't want next week's top HN story to be an appeal for donations to the legal defense fund of sah88.

评论 #8577952 未加载

评论 #8577268 未加载

评论 #8577993 未加载

评论 #8578059 未加载

jcr超过 10 年前

When it comes to vulnerability reporting and/or disclosure, there are two schools of thought; "responsible disclosure" and "full disclosure". Unfortunately, what "full disclosure" and "responsible disclosure" actually mean can vary a whole lot. For example, some define "full disclosure" as immediately publishing/disclosing the vulnerability and/or with working exploit code, but more level-headed folks define "full disclosure" as trying to contact the vendor and giving them at least 5 days to respond before publicly disclosing any information [1].The safe and sane approach is to contact CERT [3,4] through their vulnerability reporting page [5] and let them contact the vendor. If you're curious, the CERT disclosure policy is good reading [6].[1] <a href="http://www.wiretrip.net/p/libwhisker.html" rel="nofollow">http://www.wiretrip.net/p/libwhisker.html</a>[2] <a href="http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm" rel="nofollow">http://www.cert.org/vulnerability-analysis/vul-disclosure.cf...</a>[3] <a href="https://www.us-cert.gov" rel="nofollow">https://www.us-cert.gov</a>[4] <a href="https://www.cert.org" rel="nofollow">https://www.cert.org</a>[5] <a href="http://www.kb.cert.org/vuls/html/report-a-vulnerability/" rel="nofollow">http://www.kb.cert.org/vuls/html/report-a-vulnerability/</a>[6] <a href="https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm" rel="nofollow">https://www.cert.org/vulnerability-analysis/vul-disclosure.c...</a>

评论 #8577070 未加载

xpto123超过 10 年前

Look in linkedin for people working in security for that company, and invite them to connect. In the connection message state directly the problem.Do this with technical people, but also with it managers from the company and its worth sending it to the CEO.Explain what are the risks (is it persistent xss visible by other users in a forum etc)These things are only important until some manager says they are important, so try to explain the business and public image risk of the exploit to a high level manager via linkedin in non technical terms, ideally with a demo. If they forward the email to the it department i bet that then they would act.Last case if responsible disclosure doesnt work after 3 /6 months: public disclosure via some news site. All of the sudden it gets fixed in two days, they end users end up being better off in the long term.Unpatched exploits that stay there for years are the bread and butter of hackers, and the short term risk introduced by the public disclosure is compensated by the fact the users get protected in the end.

tlb超过 10 年前

BTW, the Hacker News team is super-duper grateful to people who report security bugs. Report directly to hn@ycombinator.com.

lucb1e超过 10 年前

I'd anonymously email and tell them they had 7 days to acknowledge having received your message. After that they get a month or maybe two to fix it. Then public disclosure. All anonymous over Tor, because you can always attach your name later but you cannot remove it if you already gave it.Or if they don't respond at all, immediate public disclosure. If that's how they want to play the game, then let's play.Be wary if they ask for your name straight away because companies have been known to sue.

jmount超过 10 年前

Security bugs are just bugs. Use your own judgement on reporting. And do not make the mistake of violating the law in attempting to test on remote systems (that you may have limited access rights to)."So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special."Linus Torvalds Tue, 15 Jul 2008

tzs超过 10 年前

You reported it through their security bug reporting form, twice. That's sufficient for now. There are two reasons they may not have acknowledged it.1. You haven't given them enough time to acknowledge it.2. They are not acknowledging it to limit their liability. Suppose a black hat subsequently finds it and uses it to cause harm, and a victim sues. The acknowledgement to you could be used as proof that they knew about the bug before it was exploited.You've done all you should do for now. You should now wait long enough for them to fix it. Take into account that there may be complications you are unaware of due to how their backend works, or due to how their development and testing is done, or how their bureaucracy works, so be generous.Then check to see if the problem is still there. If it is, then go public anonymously, with just the technical details. Leave out the history of attempting to contact them (it could compromise your anonymity).

评论 #8577882 未加载

custardcream超过 10 年前

Always conduct business like this anonymously. Public WiFi, separate browser, pastebin, free email provider, public forum.Give them 28 days, then pastebin it and stick on reddit.But now you can't do a thing because they know who you are and will sue you so forget about it and stop using their products.

seanieb超过 10 年前

There's some great advice here. I'd like to add to it from the prospective of the people at the large internet service receiving the disclosure.Every day they possibly get hundreds of emails to their security@ email address. The vast majority of it breaks down into categories of spam and support requests. Then when you have removed that you are left with a pile of "security disclosures", the vast majority of which are a very poor standard, or generated by some sort of scanner software that's returning garbage results.After this gets filtered the remainder are legitimate issues that need to be investigated. Bear in mind you might not get one of these for weeks and weeks, but you still have to filter the other hundreds of emails.For all but the largest internet companies (think apple and google), they can't afford to tend to this filtering process 24/7. So this happens Mon-Fri during business hours, and if it's a legitimate report it will make its way to a security engineer.So, what am I getting at? You've taken the right steps to report this. What you have described sounds like a vulnerability, who knows how long its been there. Given that and the nature of the vulnerability, the likelihood of this been exploited over the coming days sounds low. So we don't have to go to DEFCON 5 just yet. Don't expect companies to react to these reports within hours or over the weekend, theres just too much noise to make this sort of thing feasible. Please give the company a chance to do their thing, this could take a business day or two, just to get acknowledged. And another couple of days to patch (depending on the technical difficulty).By the way, this is pretty much outlines the value proposition of the Hacker One service[1] and why companies should use them. As bug bounties become more popular, the long tail of garbage security reports will increase and so will the overhead cost to run one of these programs effectively (quick response times, qualified engineers triaging the inbound queue, etc.).[1] <a href="https://hackerone.com/" rel="nofollow">https://hackerone.com/</a>

bradb3030超过 10 年前

I don't know if the timing applies here, but if you starting notification on Friday night...be patient and wait for a business day.

erikb超过 10 年前

At every IT company I ever worked or friends of me worked there were huge security holes. The common thinking of management is, though, that it's under control. Exposing these holes publicly results in getting fired or maybe even getting sued (because usually job contracts prohibit you from doing something that "harms" the company or its image). I don't think there is much that can be done about it. I certainly wouldn't risk my job, decrease the chance to get a job from other companies and knowing that for all that I could only free the world from one security bug, when million new ones are created daily.

评论 #8577056 未加载

batram超过 10 年前

In cases like this I adopted a best effort policy, look for contact information on the site and via google ("company-name security"). If I find a (simple and quick) way to contact the company I send them a simple report. If there is no way or no easy way to contact them, I am done and they get nothing.You stated that you send them two messages via a form dedicated to reporting securities vulnerabilities and even tried to call them. I think you have done more than enough and can relax and wait. (Don't bombard them with too many emails.)Some in these comments say that you might get sued. As long as you don't publish or threaten to publish the vulnerability, I don't see that happening (but than again IANAL).It is always exciting when you find (your first) vulnerabilities on "high value" targets, but in the end of the day a laymen might not realize that most of the websites even in the Top 100 on Alexa have some security problems.If you personally use the site and fear for your security, you may want to try a bit harder. For example I have tried multiple times to let my bank know about a vulnerability, but never got a satisfactory answer.

elwell超过 10 年前

Similar to this, I recently found out I could put an iframe in the Dreamhost admin panel if I put it as a TXT record for a domain. It screws up the page, but I'm not sure I can get to actually load the iframe; seems to do a half-job of sanitizing the input. I pulled up the online chat feature and told them about the problem; I don't know if they did anything yet.

borski超过 10 年前

Everyone here seems to be saying "oh god, don't do it, CFAA!"Respectfully, this sort of fear is what holds the Internet back. You are incredibly unlikely to get sued unless: you are threatening to disclose publicly, you intentionally stole data from the site and are storing it now, you threaten to sell said stolen data to a journalist or anyone else, etc.It costs companies, generally, a lot of money to sue someone. They aren't interested in doing it unless you seriously piss them off or actually cause their business/revenue harm.If you are not weev, trolling them publicly and saying you'll sell their data, you can likely disclose and be fine. Just be nice about it.By being nice, I have disclosed hundreds of vulnerabilities over the years, in this manner. Sometimes they even let me write a blog post about it afterward.If you want, email me and we can discuss in more detail. Email is in my profile.tl;dr: find someone to contact via LinkedIn or email (CISO or CTO usually works well), be incredibly nice and non-threatening about it, and you'll be fine.

评论 #8578570 未加载

stefan_kendall3超过 10 年前

Just move along and don't use the website. The computer fraud and abuse act is not a joke.

zuck9超过 10 年前

Once you get the bugs fixed, kill the curiosity and disclose the website name. They aren't running their program on BugCrowd or HackerOne, are they?