A Tale of 2 Vulnerability Disclosures

You're out for a stroll and spot a house with its front door wide open. Out of concern, you try to inform the owner about the door. Unexpectedly, the owner snaps back, insisting the door is shut. This is a story about the worst vulnerability disclosure process I've ever experienced.

The world of vulnerability disclosure and research is really confusing, with lots of different opinions on what's right or wrong. No matter what you do as a researcher, someone is likely to say you're doing it wrong.

All you can do is carefully find your way through the unclear laws. If you discover something, try to handle it responsibly so it doesn't end up in bad hands. After all, the main goal is to keep people safe, isn't it?

Vulnerability Discovery 漏洞发现

During a recent security assessment for a client, I had permission to examine all aspects of their online presence. As a part of that I chose to investigate whether they had any exposed S3 buckets or Azure storage accounts that permitted public file listing and access.
在最近对客户进行安全评估时,我被允许检查他们在线状态的各个方面。作为其中的一部分,我选择调查他们是否有任何公开的 S3 存储桶或允许公共文件列表和访问的 Azure 存储帐户。

Luckily for my client, I didn't come across any buckets linked to them. However, during my investigation, I stumbled upon two buckets belonging to other companies, both loaded with sensitive data.

Vulnerability Disclosure?

Knowing about these vulnerabilities, am I now required, even though I have no affiliation with the impacted companies, to report these issues?

A frequent point raised is that reporters shouldn't even be aware of these issues. However, especially when it comes to this class of vulnerabilities, the counterpoint is that you don't need any specialized skills or to perform any scanning yourself to find them. Search engines like Gray Hat Warfare make it easy to locate exposed buckets by typing in a few keywords.
经常被提出的一个观点是,记者甚至不应该意识到这些问题。但是,尤其是当涉及到此类漏洞时,与之相反的是,您不需要任何专业技能或自己执行任何扫描即可找到它们。像 Gray Hat Warfare 这样的搜索引擎可以通过输入几个关键字轻松找到暴露的存储桶。

The purpose of this website is to raise awareness on the open buckets issue. - Gray Hat Warfare
本网站的目的是提高人们对开放桶问题的认识。- 灰帽战争

For instance, a simple search for the term 'prod,' often short for 'production,' turns up 18,029 public buckets. I'm sure none of these buckets contain sensitive information /s.
例如,简单地搜索术语“prod”(通常是“production”的缩写),就会发现 18,029 个公共存储桶。我敢肯定这些存储桶中没有一个包含敏感信息/s。

A Tale of 2 Vulnerability Disclosures
Hopefully all these buckets are just full of cat photos.

Tale 1: The Gold Standard
故事 1:黄金标准

When it comes to encouraging the public to report vulnerabilities to you (and trust me, you want to be in the loop on these matters), there are a few basics to follow:

  1. At the very least, make a public security contact available.

    Look into publishing a security.txt file, this is so easy!
  2. Confirm that you've received any reports, so the person reporting knows they've been heard.
  3. Extend a simple 'thank you.'
  4. Optional Bonus - Offer some form of recognition to the reporter, like adding them to a 'Hall of Fame', giving them kudos on a platform, or sending them some swag.
    可选奖金 - 为记者提供某种形式的认可,例如将他们添加到“名人堂”,在平台上给予他们荣誉,或向他们发送一些赃物。

With permission from the affected, Tale 1 is about my amazing experience reporting an open bucket to Monash University.
在受影响者的许可下,故事 1 讲述了我向莫纳什大学报告一个打开的桶的惊人经历。

Step 1, they publish a security.txt file. ★★★☆☆
第 1 步,他们发布安全 .txt 文件。★★★☆☆

A Tale of 2 Vulnerability Disclosures

Step 2 and 3, they acknowledged my report within 24 hours despite me emailing on a Saturday and thanked me! ★★★★★
第 2 步和第 3 步,尽管我在周六发送电子邮件,但他们还是在 24 小时内确认了我的报告并感谢我!★★★★★

A Tale of 2 Vulnerability Disclosures

Step 4, they invited me to put the report in Bugcrowd so I could get recognized for the report. ★★★★★ BONUS ★
第 4 步,他们邀请我把报告放在 Bugcrowd 中,这样我就可以得到报告的认可。★★★★★ 奖金 ★

A Tale of 2 Vulnerability Disclosures
A Tale of 2 Vulnerability Disclosures

They even kept me in the loop about the issue getting resolved.

So easy right? Why can't all vulnerability disclosures go this well.

Tale 2: The Sassy CIO
故事 2:时髦的 CIO

Note: For those who've already seen this saga on LinkedIn (follow us), to your potential dismay, I will not be disclosing the company name or those involved. The bucket is still open after all this time.

Proceeding to the next tale, let's now take a look at the worst vulnerability disclosure process I've ever experienced.

The affected company didn't provide any dedicated security contact details, leaving me with just their generic contact forms. Given this scenario, I decided to reach out directly to their CEO and CIO on LinkedIn.

A Tale of 2 Vulnerability Disclosures
The message I sent them on August 20.
我在 8 月 20 日发给他们的消息。

To my complete astonishment and dismay, I received this response the following morning.

A Tale of 2 Vulnerability Disclosures

Did the other 2 consultants, just give up? or were they actually sales messages.
其他 2 位顾问就这样放弃了吗?或者他们实际上是销售信息。

I guess they at least get 1 star for acknowledging my report within 24 hours? ★☆☆☆☆
我想他们至少会在 24 小时内确认我的报告而获得 1 颗星?★☆☆☆☆

To add to that amazing response, our sassy CIO also blocked me on LinkedIn. I never heard back from the CEO at all.

A Tale of 2 Vulnerability Disclosures

Amidst my confusion, I decided to ask my LinkedIn network about what I should do. As I should've expected, the internet just wanted to see the world burn. 😂

A Tale of 2 Vulnerability Disclosures

Getting a Third Party Involved

I don't usually involve a third party, but in this case, it seemed worth a try. The intent was to share enough evidence of the issue with this third party so they could verify it. Then they could approach the impacted company as a trusted intermediary.

Let's list out everyone I tried contacting and what their response was:

  • I contacted 6 media outlets.
    我联系了 6 家媒体。

    • Only 1 responded who referred me to the ACSC.
      只有 1 人回复将我推荐给 ACSC。
  • I contacted the ACSC.
    我联系了 ACSC。

    • I called their hotline to ask if they can help me with this, they referred me to submit a 'general enquiry' here with feedback type 'other'.
    • The ACSC then referred me to submit a OAIC privacy complaint.
  • I submitted an OAIC privacy complaint.

    • I have yet to hear back anything from them (submitted 24 August) apart from an automated acknowledgement of contact.

Side note: OAIC's automated acknowledgement of contact PDF doesn't correctly fill out the date. Has this ever been tested by anyone?

A Tale of 2 Vulnerability Disclosures

All of that seemed like a dead end.

Troy Hunt - haveibeenpwned
特洛伊·亨特 - haveibeenpwned

As a final option, a friend recommended contacting Troy Hunt. To my relief, he offered to help verify the issue and attempt to elicit a response from the same individuals I had reached out to.

A Tale of 2 Vulnerability Disclosures
Yay! 耶!

The end. 结束。

Or so I thought. 或者我是这么想的。

As I write this, it is now September 15th. My first message about this was sent to the affected company on August 20th. Their blob storage is still publicly accessible and I've moved on to working on other things.
在我写这篇文章的时候,现在是 9 月 15 日。8 月 20 日,我的第一条消息已发送给受影响的公司。他们的 blob 存储仍然可以公开访问,我已开始处理其他事情。

Closing 关闭

In the end, the two tales show two sides of the same coin. The first story serves as an exemplary model of how to successfully handle such disclosures, demonstrating that collaboration with vulnerability researchers can help improve an organisation's security posture.

In contrast, the second story has mostly been a lesson for me in patience and empathy. Maybe our sassy CIO is actually bombarded with sales pitches similar to my message. 🤷


原文始发于projectblack:A Tale of 2 Vulnerability Disclosures

版权声明:admin 发表于 2023年11月11日 下午2:55。
转载请注明:A Tale of 2 Vulnerability Disclosures | CTF导航