slavco
slavco
Dec 28, 2018 · 3 min read

It happened. My research with results on live target which is hosting sensitive data, finally is public! It is public after eight months being censored by a platform which moto is responsible even more coordinated disclosure. Finally, reports saw the day light! Now my work is public, not mediated, being witness of a clash between Information Technology vs believes.

Chronology

  1. report marked as duplicate with 4 years old one after day and a half proving the technique
  2. I disagree with resolution and after filling / summing the information into separate report and giving extra arguments I requested mediation, because there are technical facts vs believes.
  3. Mediation refused, not performed and no clear even obscure technical evidence shown why methodology isn’t ok.
  4. I remained on my point of view reports to be disclosed — refused
  5. I wait 3 months and requested reports to be disclosed (coordinated disclosure) even with moderated content — refused.
  6. When compromise isn’t option, hello escalation
  7. Shit-storm everywhere, any time, with everything…
  8. Reports are public now (on my surprise), but not mediated, neither I was contacted for the disclosure.
  9. I won this battle… (Depends of perspective)

What is the threat from the report — Eli5

If you run H1 program, or you are triage member or researcher, if you visit some web site while logged in on H1, that web site could learn many information from your visit like:

  • Number of open critical/high/medium issues in the last week/two/month
  • Are you logged in on H1 and what type of user you are

In fact, everything you see on your screen and is accessible via GraphQL / rest api could be counted, checked if it exists under the terms and in certain time interval.

Program owners were using system that leaks information cross side

For the past eight months everyone who was using H1, from any account type and surfing the web while logged in was under a threat of disclosing information about account used. I think, they were not warned.

Attack surface

Attack is still working on any browser and for more than accurate results are needed ~100 requests towards H1 e.g. victim visits the attackers page and after ~100 requests that site could learn quite a lot of data about the program (open critical issues for the last month etc etc) and that data could be processed offline e.g. attacking site just to collect the measurements.

I demand mediation for the report

Now when report is public anyone could face the facts with me and Jobert (and crew who were not convinced). I have proved that report if far from duplicate, measured everything, calculated/crunched the results and that makes it unique work atm, because environment e.g. platform architecture allowed this attack — server side complexity, predictable urls, system 500 errors (very important ones), no CSRF tokens for the requests.

Where this attack is effective

On online platforms which hold valuable information like: security systems, health institutions, ecommerce solutions, … e.g. everywhere where it is important attackers not to understand the type of the user, count some events in certain time frame.

More details pls?!

For now I’ll wait mediation, because in IT there are no believes, there is 0 and 1. Sorry Jobert, your 0.5 isn’t possible here. Like in the report I still request tech. arguments, but if you want, we can continue with believes.

H1 needs researchers more than researchers need H1

:*

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade