It happened. My research with results on live target which is hosting sensitive data, finally is public! It is public after eight months being censored by a platform which moto is responsible even more coordinated disclosure. Finally, reports saw the day light! Now my work is public, not mediated, being witness of a clash between Information Technology vs believes.
- report marked as duplicate with 4 years old one after day and a half proving the technique
- I disagree with resolution and after filling / summing the information into separate report and giving extra arguments I requested mediation, because there are technical facts vs believes.
- Mediation refused, not performed and no clear even obscure technical evidence shown why methodology isn’t ok.
- I remained on my point of view reports to be disclosed — refused
- I wait 3 months and requested reports to be disclosed (coordinated disclosure) even with moderated content — refused.
- When compromise isn’t option, hello escalation
- Shit-storm everywhere, any time, with everything…
- Reports are public now (on my surprise), but not mediated, neither I was contacted for the disclosure.
- I won this battle… (Depends of perspective)
What is the threat from the report — Eli5
If you run H1 program, or you are triage member or researcher, if you visit some web site while logged in on H1, that web site could learn many information from your visit like:
- Number of open critical/high/medium issues in the last week/two/month
- Are you logged in on H1 and what type of user you are
In fact, everything you see on your screen and is accessible via GraphQL / rest api could be counted, checked if it exists under the terms and in certain time interval.
Program owners were using system that leaks information cross side
For the past eight months everyone who was using H1, from any account type and surfing the web while logged in was under a threat of disclosing information about account used. I think, they were not warned.
Attack is still working on any browser and for more than accurate results are needed ~100 requests towards H1 e.g. victim visits the attackers page and after ~100 requests that site could learn quite a lot of data about the program (open critical issues for the last month etc etc) and that data could be processed offline e.g. attacking site just to collect the measurements.
I demand mediation for the report
Now when report is public anyone could face the facts with me and Jobert (and crew who were not convinced). I have proved that report if far from duplicate, measured everything, calculated/crunched the results and that makes it unique work atm, because environment e.g. platform architecture allowed this attack — server side complexity, predictable urls, system 500 errors (very important ones), no CSRF tokens for the requests.
Where this attack is effective
On online platforms which hold valuable information like: security systems, health institutions, ecommerce solutions, … e.g. everywhere where it is important attackers not to understand the type of the user, count some events in certain time frame.
More details pls?!
For now I’ll wait mediation, because in IT there are no believes, there is 0 and 1. Sorry Jobert, your 0.5 isn’t possible here. Like in the report I still request tech. arguments, but if you want, we can continue with believes.
H1 needs researchers more than researchers need H1