Discovered vulnerability in eCommerce platform
June 3, 2015 11:46 AM Subscribe
I have discovered a vulnerability in an eCommerce platform which leaves sensitive and private customer data at risk. I reported this loophole to the developer, but their response has been underwhelming. What should I do?
I expected them to go into "red alert" and solve this problem right away. But I reported the loophole over 96 hours ago, and there has been very little response and no clear indication as to whether or not they are even working to solve this problem.
They implemented a quick-fix hack to hide some of the data on my specific website; however, I can clearly see that the vulnerability still exists on some of their more visible customers' websites. In fact, the vulnerability still exists on my website -- you can login to these accounts without a password -- it's just that most of the sensitive data has been hidden. They haven't done anything to hide the data for their other customers, who don't even know this loophole exists.
This loophole allows anyone to access certain types of customer accounts if the customer email address is known, without any authentication whatsoever. Basically, for certain types of customers, one can log into their account without a password. All you need is the email address.
I don't want to say too much about how the exploit works. But a lot of sensitive data is accessible once you are logged into one of these accounts, including:
- The last four digits and expiration date of credit cards used
- First/last name and addresses
- All order history
This eCommerce company is touting their PCI certification and the fact they have been audited by a well-known, third party assessment group. Doesn't this put their certification at risk? Doesn't this sort of vulnerability threaten their entire business?
Should I be reporting this to someone else? A compliance authority? Their other clients that don't know they, and their customers, are affected? (Thousands of companies use this platform.) What is reasonable to expect from them as far as a timeframe to address this kind of issue? And what sort of responsiveness should I expect to be confident that it is being addressed?
I expected them to go into "red alert" and solve this problem right away. But I reported the loophole over 96 hours ago, and there has been very little response and no clear indication as to whether or not they are even working to solve this problem.
They implemented a quick-fix hack to hide some of the data on my specific website; however, I can clearly see that the vulnerability still exists on some of their more visible customers' websites. In fact, the vulnerability still exists on my website -- you can login to these accounts without a password -- it's just that most of the sensitive data has been hidden. They haven't done anything to hide the data for their other customers, who don't even know this loophole exists.
This loophole allows anyone to access certain types of customer accounts if the customer email address is known, without any authentication whatsoever. Basically, for certain types of customers, one can log into their account without a password. All you need is the email address.
I don't want to say too much about how the exploit works. But a lot of sensitive data is accessible once you are logged into one of these accounts, including:
- The last four digits and expiration date of credit cards used
- First/last name and addresses
- All order history
This eCommerce company is touting their PCI certification and the fact they have been audited by a well-known, third party assessment group. Doesn't this put their certification at risk? Doesn't this sort of vulnerability threaten their entire business?
Should I be reporting this to someone else? A compliance authority? Their other clients that don't know they, and their customers, are affected? (Thousands of companies use this platform.) What is reasonable to expect from them as far as a timeframe to address this kind of issue? And what sort of responsiveness should I expect to be confident that it is being addressed?
Four days is not a tremendously long time in terms of getting a security fix reported, acknowledged, fixed, etc.. particularly if you reported it on a non-business day. It may have been routed to the wrong person, that team may be already heavily bogged down, etc. They may use a monthly release cycle and feel that releasing the fix out of the usual order places the other customers at higher risk than leaving it unannounced but unfixed for a little while longer.
One of the first steps is to try to get an official statement from their security team saying that they're received your report, have been able to duplicate the problem, what their internal tracking number for the problem is, and what their estimated timeline to fixing it is. If you can't get that, you can try contacting the security team directly - use LinkedIn to identify people on their security team and try to get ahold of them.
If you can't get a reasonable response, then one generally sends an intent to disclose to the vendor, establishing that you will inform the public of the issue if progress is not made. Here's a good overview of some timeframes that various groups use. 30-45 days sounds appropriate in your case if they do not indicate that they've made progress on fixing it. If they start work on it but don't complete it, 60 days might be a good number.
If you don't have the time and energy to handle all of this, you might try handing it issue off to someone that has the knowledge on how the shepherd the issue through getting fixed. Here's some places that might be able to help:
Internet Storm Center (I would give them a general description of the issue and see if they will refer you to someone specific)
CERT
The Bugtrack mailing list
If you have a local large university, you can reach out to their security group and see if there's anyone there who would be interested in taking it on as a project - there's sometimes some junior employees that could use practice/experience with vulnerability reporting.
posted by Candleman at 12:48 PM on June 3, 2015 [2 favorites]
One of the first steps is to try to get an official statement from their security team saying that they're received your report, have been able to duplicate the problem, what their internal tracking number for the problem is, and what their estimated timeline to fixing it is. If you can't get that, you can try contacting the security team directly - use LinkedIn to identify people on their security team and try to get ahold of them.
If you can't get a reasonable response, then one generally sends an intent to disclose to the vendor, establishing that you will inform the public of the issue if progress is not made. Here's a good overview of some timeframes that various groups use. 30-45 days sounds appropriate in your case if they do not indicate that they've made progress on fixing it. If they start work on it but don't complete it, 60 days might be a good number.
If you don't have the time and energy to handle all of this, you might try handing it issue off to someone that has the knowledge on how the shepherd the issue through getting fixed. Here's some places that might be able to help:
Internet Storm Center (I would give them a general description of the issue and see if they will refer you to someone specific)
CERT
The Bugtrack mailing list
If you have a local large university, you can reach out to their security group and see if there's anyone there who would be interested in taking it on as a project - there's sometimes some junior employees that could use practice/experience with vulnerability reporting.
posted by Candleman at 12:48 PM on June 3, 2015 [2 favorites]
"Dear Company: I have discovered and reported to you a serious security flaw, which I hoped you would take seriously and try to fix. Your response has been rather underwhelming. If you do not respond to me with a serious plan for fixing the problem before then, on June 15 I will post a full description and all the details of your security problem on Slashdot. I do hope I will hear from you before then. Sincerely, Anonymous."
posted by Chocolate Pickle at 1:02 PM on June 3, 2015
posted by Chocolate Pickle at 1:02 PM on June 3, 2015
I... don't really think this is as serious an exploit as you seem to think it is. Last 4 and expiry date of a credit card aren't very interesting or meaningful pieces of data. Names and addresses and order history are slightly more interesting but really probably not all that valuable. 96 hours is an incredibly short period of time to expect major action to be taken. I would nudge them over email and see if they respond, but I have no idea why you would threaten with taking this public yet or what you would hope to gain from that. Wait a bit longer and see. If they don't do anything within a week perhaps it's worth escalating, but probably this vulnerability has been outstanding for a while, and will take a while to fix, and there's really not much you can do about it.
posted by ch1x0r at 6:05 PM on June 3, 2015 [1 favorite]
posted by ch1x0r at 6:05 PM on June 3, 2015 [1 favorite]
As others have said, it's been 3 days. You have a temporary work-around (for your site) which usually re-sets the clock and pushes priority down from code-red to "next release cycle".
You should expect the workaround to be posted, but might not get a lot of fanfare.
you should not post a how-to, or threaten to. There are a number of different best-practices/communities that talk about how to report and what you should do, and Candleman's links are a good start.
ch1x0r - note that the last 4 were used in recent hack. By knowing the last 4, allowed password recovery and then leveraged to a larger breach of things. (I think this was the fappening hack). So it's not trivial information when there's a bigger target.
posted by k5.user at 8:22 AM on June 4, 2015
You should expect the workaround to be posted, but might not get a lot of fanfare.
you should not post a how-to, or threaten to. There are a number of different best-practices/communities that talk about how to report and what you should do, and Candleman's links are a good start.
ch1x0r - note that the last 4 were used in recent hack. By knowing the last 4, allowed password recovery and then leveraged to a larger breach of things. (I think this was the fappening hack). So it's not trivial information when there's a bigger target.
posted by k5.user at 8:22 AM on June 4, 2015
What idiot is allowing password recovery with last 4 of credit card number? Well, password recovery is basically broken everywhere so I guess I shouldn't be all that surprised. Anyway. As far as a PCI compliance thing, I don't think last 4 breach is considered serious, even though it might let you into other broken websites. So I still maintain that this is, in the grand scheme of breaks, not the biggest break that ever broke, mostly because it's hard to get credit card numbers and details out of it which is the most valuable data most hackers really want.
posted by ch1x0r at 7:42 PM on June 4, 2015
posted by ch1x0r at 7:42 PM on June 4, 2015
This thread is closed to new comments.
If you don't know how to place your site into some sort of holding pattern yourself, I'd be finding a new developer to help you with that, posthaste.
posted by humboldt32 at 11:55 AM on June 3, 2015 [2 favorites]