Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help authoring full disclosure security post


  • Please log in to reply
6 replies to this topic

#1 sosumi2

sosumi2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 30 December 2017 - 10:43 PM

I have found a critical design flaw in a password manager service which was promoted by a major industry vendor.  I wondered if there is anyone with skills in cryptography and python which would be willing to help perform a peer review of the flaw I found.  A person that has also written a full disclosure post before would also be nice but not required.

 

Thanks



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:50 PM

Posted 31 December 2017 - 03:46 AM

Just that I understand: you want to do "full disclosure" of the vulnerability you found, and not contact the vendor to do "responsible disclosure"?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 sosumi2

sosumi2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 31 December 2017 - 07:17 AM

Thanks for getting back to me so quickly.

 

Please correct me if I'm wrong but a responsible disclosure work best for either of the following:

 

- The security vulnerability is high risk of third party exploit, thus public disclosure is likely to put customers without a patch at risk

 

Or

 

- The vendor would operate in good faith to work with the party reporting it to fix the issue

 

For a third party to exploit what I believe I have found, the vendor's own server would have to be compromised, TLS protocol would have to be exploited or a trusted certificate authority.  As such, I think a third party leveraging the information is small.

 

In terms of the vendor operating in good faith, I believe they have already shown a preference towards working around their issues rather than learn from them.  This would not be the first design flaw found with their product which violated their own marketing claims.

 

It should also be noted that this vendor seems to be more interested in making legal threats than encouraging direct disclosures.  I believe direct communication will be leveraged by them to try to expose my identity.  I found the flaw just by reviewing python code of any API client which they placed under a MIT license and I feel I haven't done anything wrong,  However, if they choose to ignore my report or work-around it in a way that doesn't really address the issue in the long term, I believe they will re-enforce this decision with legal threats.  Once I expose myself to them, my options to help their customers understand what it is they are buying into may quickly diminish.

 

To get a feel for the type of company we are dealing with, in response to a previously reported flaw, they stated:

"Even though no customers were adversely affected by this potential vulnerability..."

 

How would a company be able to definitively make such a claim?  Have the done an exhaustive analysis of every single packet on the internet to confirm a vulnerability could never have been leveraged?  The previously reported vulnerability was against the client, so the attack would not even be exposed to systems owned by the company.

 

Another motivator is the company's own blog which has a post titled "Hacking for Good, Not Evil."  In the post, they call out Facebook for failing to pay Khalil Shreateh a bug bounty. They even state: "When his report was repeatedly ignored, Shreateh resorted to posting an unauthorized update to the timeline of none other than Mark Zuckerberg himself."  Towards the end of the post they state: "We need hackers to keep us safe."

 

However, all this talk of needing to honor bug bounties and full disclosure being good seems to only apply when the product is not their own.  For their own product, rather than offer a bug bounty, they offer the following:

"Furthermore, the threat of disclosing or actual disclosure of any purported weakness, security flaw or degradation of our software or systems (which are proprietary and property of [Company X]) in a public forum - is prohibited."

 

I don't intend to collect a bug bounty and would just give it to charity if someone demanded I accept one, but it is just so bipolar to go from praising an unauthorized update of one company's server to then state for the company's own product:

"If we determine that an entity or individual has attempted to reverse engineer, enter, infiltrate or breach our software, infrastructure and/or a user's device (which could include a breach or weaknesses in an operating system created by or utilized by one of our strategic OEM partners), we will take swift action - either in the form of a lawsuit and/or a disclosure to appropriate local, state and federal law enforcement agencies."

 

Could reading the open source API client source code be reverse engineering?  I don't want to find out what their answer to that might be!  USA seems to operate in such a way they demand citizens of New Zealand be held accountable to USA law, they allow Oracle to sue for re-implementing an API which Oracle open sourced and the purposed Aaron's law gets ignored by those in power.  I am going to be very careful to avoid discovering if the reach of such a twisted court system could be applied to me.

 

At the same time, I don't think it is right to remain silent about what I found.  While third-party exploit is unlikely, the possibility is not 0%.  Also, given that the company operates in the USA and based on what I read about Lavabit being forced by FISA courts to reveal their TLS private key, I believe the possibility for a first-party exploit is also not 0%.  What I found is not the most interesting exploit, it will never earn a cool name like Heartbleed or KRACK attack, but I believe in the statement "we need hackers to keep us safe."

 

With that in mind, I think the customers need to be aware of when a security product might function in a way that differs from how it was marketed.  So, you might want to think of this as largely a product review which includes technical details of a light full disclosure.  But I still also feel what I found needs to be put under peer review.  Assistance in wording of the review and technical details would be appreciated as well.

 

Thanks


Edited by sosumi2, 31 December 2017 - 08:59 AM.


#4 sosumi2

sosumi2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 02 January 2018 - 03:03 AM

Sorry for the wordy rant.  I will try again to explain and be straight to the point.

 

I see there being three types of disclosures:

 

(1) Secret Disclosure

 

(2) Responsible Disclosure

 

(3) Full Disclosure

 

With a secret disclosure, the vendor is the only one notified and can do whatever they want with the disclosure.  Under this type, the security researcher has no leverage to make sure the problem gets patched for the users.  Also, the security researcher has no leverage to make sure they get credit for reporting it.  Lastly, the security community is never notified to try to reach a consensus on how vendors can avoid the type of issue again in the future.

 

With responsible disclosure, there is an attempt to balance the needs of the vendor, the user and the security researcher.  The group reporting the issue can hold the vendor accountable to making progress on fixing it because they can issue a full disclosure if the vendor does not.  Once the issue is resolved or there is no indication of a fix, the reporter also can make sure they get credit by issuing a full disclosure.  Lastly, the user can hold the vendor accountable to issues that took place while the patch was not available as they are made aware of the issue once it goes into full disclosure.

 

With a direct to full disclosure, the needs of the user to be able to hold the vendor accountable is the primary goal.

 

Based on my understanding above, responsible disclosure requires both parties to accept the terms being that of a responsible disclosure.  If a vendor claims to not allow a full disclosure to ever take place, then they are demanding the disclosure be performed in secret.  I am uncomfortable with a vendor of a security utility expecting only secret disclosures.  Since there is no acknowledgement of the vendor to allow a responsible disclosure to be accepted, I feel my comfort level for this situation only allows me to go straight to full disclosure.



#5 Umbra

Umbra

    Authorized Emsisoft Rep


  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 02 January 2018 - 10:19 PM

Anonymous secret disclosure with time limit option towards full disclosure?


Edited by Umbra, 02 January 2018 - 10:20 PM.


Emsisoft Community Manager


#6 sosumi2

sosumi2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 14 January 2018 - 09:16 AM

I have attempted to make an anonymous secret disclosure. They have acknowledged the information but I don't know how anonymous I really have been. How long should the time limit be til full disclosure?

#7 sosumi2

sosumi2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 12 February 2018 - 03:23 AM

Here is the timeline so far:

 

Jan  9 Issues from the security review are disclosed and acknowledged by the vendor

 

Jan 18 Requested information on proceeding with a vendor authorized full disclosure

  Told more would be known in 1-2 weeks

 

Jan 26 Vendor posted to their blog which re-iterated claims that contradict the disclosure

 

Jan 30 Vendor indicates it will be at least a couple months before making changes

  Questioned the vendor about the blog post and ask them to be more transparent

  with their customers

 

Jan 31 Vendor refuses to address my concerns about the blog post

 

Feb 1 Further emails request in a SMTP 550 error that the mail is blocked

  Request to vendor support to find out if this is a misconfiguration has gone unanswered

 

Feb 12 Post timeline to this forum

 

The vendor has never offered any hard deadline by which time they expect to have all the issues addressed. I feel that by continuing to not disclose the issues that I would be complicit in a deception of their customers.

 

Let me know if there is any advice available for this situation.

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users