I've found security holes in a cloud service. Now what?
November 20, 2018 1:01 AM Subscribe
With the best of intentions I reverse-engineered a cloud service's API and found it extraordinarily poorly secured. I would like to do the ethical thing and, if possible, not end up prosecuted.
I have a Bluetooth device (specific name and type not given here to discourage malicious actors from noticing and using that information), which is associated with a smartphone app and online storage --- the device syncs to the phone, which stores data locally and uploads it to the company's storage. A few months back I posted instructions for pulling locally-stored raw data off of a rooted Android phone (basically, just grabbing the database file).
Recently I was contacted by an iPhone user who was technically savvy enough to get the gist of my approach but who'd had no success replicating it on an emulated Android device, and who didn't have a local store of data in Android-accessible locations, so I went back into the breach seeing if digging through a decompiled APK and using a Wifi sniffer while synchronizing my device could get me a handle on the API (I'd asked the company about APIs months before I even pulled the data off my own phone; silence in reply).
What I found, dear readers, will shock you (or probably not, if you've read anything about the Internet of Things and its attendent security problems). The source code had a hardcoded key for their API. Slight modifications of the query URIs my phone sent allowed me to read (and modify!) other users' information. There's no OAuth2 layer or any of the other par-for-the-course authentication. So I or anybody else with the same information can see pretty much everything (except passwords, AFAICT, although it wouldn't surprise me if that's also accessible somehow). The good news is, this is a small service, and one that doesn't store any sort of financial or other highly sensitive information. OTOH, it does have real names, usernames, and a little bit of other data that could plausibly be useful in identity-theft attempts. So I think having this stuff publicly world-viewable is a bad thing. Meanwhile, I've told my iPhone-using compatriot some URIs he can use to hoover up his own data, which was the point of the whole exercise. But now, what do I do?
I would like to see this breach repaired. I would also like not to end up in some courthouse where both the DA and judge hear phrases like "packet sniffing" and "decompiled source code" and decide that this is nefarious black-hat work. I would (ideally) like this company to pay enough attention to our discoveries to commit to write a usable and secure API and give their users the means to write third-party apps for it (I'd just as soon my random-internet-stranger-friend not find himself back in the same position again in a few months, after they close the hole). But obviously not ending up in prison is kinda my highest personal priority here. How do I go about proceeding ethically and legally?
I have a Bluetooth device (specific name and type not given here to discourage malicious actors from noticing and using that information), which is associated with a smartphone app and online storage --- the device syncs to the phone, which stores data locally and uploads it to the company's storage. A few months back I posted instructions for pulling locally-stored raw data off of a rooted Android phone (basically, just grabbing the database file).
Recently I was contacted by an iPhone user who was technically savvy enough to get the gist of my approach but who'd had no success replicating it on an emulated Android device, and who didn't have a local store of data in Android-accessible locations, so I went back into the breach seeing if digging through a decompiled APK and using a Wifi sniffer while synchronizing my device could get me a handle on the API (I'd asked the company about APIs months before I even pulled the data off my own phone; silence in reply).
What I found, dear readers, will shock you (or probably not, if you've read anything about the Internet of Things and its attendent security problems). The source code had a hardcoded key for their API. Slight modifications of the query URIs my phone sent allowed me to read (and modify!) other users' information. There's no OAuth2 layer or any of the other par-for-the-course authentication. So I or anybody else with the same information can see pretty much everything (except passwords, AFAICT, although it wouldn't surprise me if that's also accessible somehow). The good news is, this is a small service, and one that doesn't store any sort of financial or other highly sensitive information. OTOH, it does have real names, usernames, and a little bit of other data that could plausibly be useful in identity-theft attempts. So I think having this stuff publicly world-viewable is a bad thing. Meanwhile, I've told my iPhone-using compatriot some URIs he can use to hoover up his own data, which was the point of the whole exercise. But now, what do I do?
I would like to see this breach repaired. I would also like not to end up in some courthouse where both the DA and judge hear phrases like "packet sniffing" and "decompiled source code" and decide that this is nefarious black-hat work. I would (ideally) like this company to pay enough attention to our discoveries to commit to write a usable and secure API and give their users the means to write third-party apps for it (I'd just as soon my random-internet-stranger-friend not find himself back in the same position again in a few months, after they close the hole). But obviously not ending up in prison is kinda my highest personal priority here. How do I go about proceeding ethically and legally?
+1 to everything russm said. Source: manage people that find exploits all day, run product security at a decently sized org.
posted by bfranklin at 4:07 AM on November 20, 2018 [1 favorite]
posted by bfranklin at 4:07 AM on November 20, 2018 [1 favorite]
CERT will sometimes take on surprisingly small and obscure things, so if you want to report it and remain anonymous, they are not a bad place to start. If you don't want to go through them and want to hand it off to a company that will do responsible disclosure but claim at least some of the credit for the issue, I can put you in touch with some researchers in the area.
In the US, you are pretty unlikely to be dragged to court (civil or criminal) over this type of research. If you're willing to deal with the headache of chasing down the correct contacts at the company, you can just email them and try to get them to fix it.
posted by Candleman at 6:43 AM on November 20, 2018
In the US, you are pretty unlikely to be dragged to court (civil or criminal) over this type of research. If you're willing to deal with the headache of chasing down the correct contacts at the company, you can just email them and try to get them to fix it.
posted by Candleman at 6:43 AM on November 20, 2018
You might consider submitting an inquiry to the EFF for distribution to their Cooperating Attorneys listserve (more info) to get an opinion from a lawyer with relevant experience in your jurisdiction.
posted by cribcage at 11:09 AM on November 29, 2018
posted by cribcage at 11:09 AM on November 29, 2018
« Older Hand and Arm Protection For Working in Meat... | Hi, how do I make the Peter Principle happen to me... Newer »
This thread is closed to new comments.
OWASP has a Responsible Disclosure Cheat Sheet that lays out the general procedure you should follow. If you follow this (or something like it) then you're operating to industry best practice and have a strong claim you're trying to do the Right Thing™ in case the vendor tries to be punitive against you. If the product is widely used then you may be able to handle the report and disclosure (while remaining anonymous to the vendor) through CERT, though they're unlikely to be interested if they consider it a small-time issue.
Personally I'd just start by emailing security@ or seeing if they have a www.example.com/.well-known/security.txt or other documented security contact. Anyone who's shown that level of knowledge of standard reporting practice is unlikely to try to cause problems for you. If they don't seem to have any idea that they need a security contact, then I'd be more wary that they'd see your contact as threatening. Unfortunately, beyond "you can protect yourself by following a standard Responsible Disclosure process" it really depends on the vendor.
posted by russm at 1:42 AM on November 20, 2018 [10 favorites]