dvuln
Published in

dvuln

Why you should choo-choo-choose to have a vulnerability disclosure policy (2M+ Accounts exposed)

BACKGROUND

  • Help as many organisations as possible create their own vulnerability disclosure policies that detail how external parties can report security issues in an efficient manner
  • Assist finders/researchers who are having difficulties communicating with the affected organisations and prevent avoidable, pre-mature disclosures and/or legal issues for both sides

SUMMARY

WHAT IS THE IMPACT?

  • 2,357,684 email addresses, usernames and plain-text passwords. (247MB of data)
  • The affected application is purported to be downloaded by over 10,000,000 users
  • The affected application is ranked as #27 globally for Travel apps (according to Apple AppStore)
  • The domain related to the application dates back to at least 2015/10/08. Additionally, according to the iOS AppStore version history, the current version is (5.4.2) and the furthest recorded version (5.1.5) predates this back to 14 Aug 2018.
  1. How long has the Firebase Database been openly exposed and have any attackers stolen the data within this timeframe?
  2. Have any other researchers attempted to contact this organisation in the past and failed?
Exposed Firebase Database (hybrid-elixir-108806)

THE ‘TECHNICAL’ PROBLEM

Example of Firebase Rules that allow public read/write access

THE ‘OTHER’ PROBLEM

  • After almost 1 month of attempted disclosure by the security researcher and journalist(s) the company was still unresponsive. This is most probably because there was no defined process to report such issues.

WHAT IS A VULNERABILITY DISCLOSURE POLICY?

TLDR:

  • ISO29147: Information technology — Security techniques — Vulnerability disclosure
  • Vulnerability disclosure policies are not bug-bounty programs

TIMELINE

  • 28/10/2019: Journalist begin to attempt contact (no success)
  • 29/11/2019: Initial triage by www.Securityat.me
  • 30/11/2019: Successful contact with application developer
  • 07/01/2020: Remediation of exposed Firebase Database

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store