Recently, I found an XSS vulnerability in a rather large proprietary CMS. The vulnerability wasn't hugely prominent, but it did allow me to take over any page that I could get the script to be displayed on. And it would appear on all visitors’ screens. Although it was a mostly hidden vulnerability involving cookie values, once found, it wasn't very difficult to execute.
At this point, I had two choices: try to let the site know about the problem, or post the vulnerability in social media networks so other people could exploit it, too.
I'm a nice guy, so I chose the first option. But it wasn't easy, and that's a real problem. Most sites, and the platforms on which they run, don't have the right mechanisms in place for users to report security and technical issues (aside from possible public humiliation on Twitter).
In other words, web sites need to think about how to make it easier for nice guys like me to do the right thing.
Here's what happened to me:
First, I tried to get ahold of someone that ran the site on which I found the problem. Not easy. It was a newspaper so the channels of communication were varied and mostly vague. I tried their general help line and hoped to be redirected successfully. Eventually, I ended up at the help desk, “Yes! I did need help in order to help them!” And they seemed to take me seriously: they took down my information and said that someone would be contacting me soon to get the full details. Two weeks later, I hadn't heard back.
In the meantime, I looked up the platform the site was running on. I found the platform vendor's site, looked at their client list, and found the same vulnerability on another site. I went through the same reporting process (“Hello, help desk?”) for the second site as well. Then I contacted the platform provider.
I wasn’t having a lot of luck at this point. With any of them.
When a door closes, find a window.
Since it was close to the Thanksgiving holiday, I waited patiently. Then I started digging into my contact list. (As in, I knew someone who might know someone at the original site where I discovered the vulnerability.) That got me places. I was put in touch with higher-ups at both sites who treated me professionally and seriously. Furthermore, both sites fixed the issue in a timely manner. They were thankful for my reporting, and a little embarrassed that my previous contact attempts went unanswered and ignored:
Vulnerable Site 1 (Director of Technology):
“Thanks so much for passing that along. We’ve patched up that for both display to the public as well as the private welcome message area (just to be safe). I really appreciate your reaching out to us and I’m investigating why your initial report wasn’t forwarded to our area when submitted through the normal feedback channel. Thanks for your persistence in contacting us on this!”
Vulnerable Site 2 (Vice President, Editor):
“Please accept my heartfelt (and somewhat belated) thanks for identifying these security issues.
We investigated, based on your work, and found several concerns. We developed and deployed a patch for these holes last week. Now, if you see code in the comments, it will display as plain text only - but we also went a little further and fixed similar issues in other places.
I don't know that we would have identified this without your help. I thank you for calling this to our attention, and for the discretion you showed in how you let us know, as well. Please let me know if you see ANYTHING else that we need to address.”
The platform provider was a different story. My phone calls to their tech support line were blown off, so I tried to join their platform developer community. Because it’s restricted to developers for companies that have paid for the software, I requested admittance. I was sent a brush-off email. Arg. I replied to the email address (hoping that it wasn't a black hole address) and actually received a response along with contact info from the Security Architect for the company. FINALLY!
CMS Provider (Security Architect):
“I sat down with our engineering team and we do see the points where input could be brought into the platform without sanitization if the customer fails to do so.
I'm also getting the ball rolling on getting a method of contact available for people to report issues outside of the normal support channels.
Thanks for your help.”
What do we do with this?
There are a lot of questions to ask ourselves: what are the rules? How far should you go to report an issue to the content owner? Is there a point at which you say "Screw it" and throw up a public post detailing the vulnerability and start sending the link to the post to anyone that will listen? (I nearly reached this point myself.) Which is the better way to solve the problem: going public or going directly to the source?
The sites that I found issue with were grateful for my reporting, but it took a lot of effort. A. Lot. Why’s this a problem? Because while there are groups like Anonymous and Lulzsec hacking into and posting data from unprotected sites, there are also people — nice guys like me — that have no interest broadcasting this information to the world. Don't make it hard for us to do the right thing. Other people may have given up and just posted something like, "Hey look at that! Their shit's broke, yo. Break into it and get some lulz.”
As a company, no matter how someone tries to reach out to you regarding security issues you need to take it seriously and actually pass along the information. There needs to be a plan in place that all employees with email accounts, phones and social media accounts are aware of. And when a user takes the time to contact your company about issues like this, send a follow up. It’s polite, gracious and just good business.
Software Testing is my profession and passion. I enjoy finding bugs, reporting them, and verifying that the developer has, in fact, fixed them. Unless I've exhausted all possible communication methods for reporting a vulnerability, I'm not going public with it.
If after several attempts, I can’t get the attention the issue deserves, I'll go public with the problem as well as publish my trail of communication and what I did to attempt the contact.
As much as I would love to think that making the info public would have been a huge win for my reputation as a tester, the real reward is a secure online environment. We all want it, and therefore we should all contribute to it in a productive way.