Thanks for getting back to me so quickly.
Please correct me if I'm wrong but a responsible disclosure work best for either of the following:
- The security vulnerability is high risk of third party exploit, thus public disclosure is likely to put customers without a patch at risk
- The vendor would operate in good faith to work with the party reporting it to fix the issue
For a third party to exploit what I believe I have found, the vendor's own server would have to be compromised, TLS protocol would have to be exploited or a trusted certificate authority. As such, I think a third party leveraging the information is small.
In terms of the vendor operating in good faith, I believe they have already shown a preference towards working around their issues rather than learn from them. This would not be the first design flaw found with their product which violated their own marketing claims.
It should also be noted that this vendor seems to be more interested in making legal threats than encouraging direct disclosures. I believe direct communication will be leveraged by them to try to expose my identity. I found the flaw just by reviewing python code of any API client which they placed under a MIT license and I feel I haven't done anything wrong, However, if they choose to ignore my report or work-around it in a way that doesn't really address the issue in the long term, I believe they will re-enforce this decision with legal threats. Once I expose myself to them, my options to help their customers understand what it is they are buying into may quickly diminish.
To get a feel for the type of company we are dealing with, in response to a previously reported flaw, they stated:
"Even though no customers were adversely affected by this potential vulnerability..."
How would a company be able to definitively make such a claim? Have the done an exhaustive analysis of every single packet on the internet to confirm a vulnerability could never have been leveraged? The previously reported vulnerability was against the client, so the attack would not even be exposed to systems owned by the company.
Another motivator is the company's own blog which has a post titled "Hacking for Good, Not Evil." In the post, they call out Facebook for failing to pay Khalil Shreateh a bug bounty. They even state: "When his report was repeatedly ignored, Shreateh resorted to posting an unauthorized update to the timeline of none other than Mark Zuckerberg himself." Towards the end of the post they state: "We need hackers to keep us safe."
However, all this talk of needing to honor bug bounties and full disclosure being good seems to only apply when the product is not their own. For their own product, rather than offer a bug bounty, they offer the following:
"Furthermore, the threat of disclosing or actual disclosure of any purported weakness, security flaw or degradation of our software or systems (which are proprietary and property of [Company X]) in a public forum - is prohibited."
I don't intend to collect a bug bounty and would just give it to charity if someone demanded I accept one, but it is just so bipolar to go from praising an unauthorized update of one company's server to then state for the company's own product:
"If we determine that an entity or individual has attempted to reverse engineer, enter, infiltrate or breach our software, infrastructure and/or a user's device (which could include a breach or weaknesses in an operating system created by or utilized by one of our strategic OEM partners), we will take swift action - either in the form of a lawsuit and/or a disclosure to appropriate local, state and federal law enforcement agencies."
Could reading the open source API client source code be reverse engineering? I don't want to find out what their answer to that might be! USA seems to operate in such a way they demand citizens of New Zealand be held accountable to USA law, they allow Oracle to sue for re-implementing an API which Oracle open sourced and the purposed Aaron's law gets ignored by those in power. I am going to be very careful to avoid discovering if the reach of such a twisted court system could be applied to me.
At the same time, I don't think it is right to remain silent about what I found. While third-party exploit is unlikely, the possibility is not 0%. Also, given that the company operates in the USA and based on what I read about Lavabit being forced by FISA courts to reveal their TLS private key, I believe the possibility for a first-party exploit is also not 0%. What I found is not the most interesting exploit, it will never earn a cool name like Heartbleed or KRACK attack, but I believe in the statement "we need hackers to keep us safe."
With that in mind, I think the customers need to be aware of when a security product might function in a way that differs from how it was marketed. So, you might want to think of this as largely a product review which includes technical details of a light full disclosure. But I still also feel what I found needs to be put under peer review. Assistance in wording of the review and technical details would be appreciated as well.
Edited by sosumi2, 31 December 2017 - 08:59 AM.