You may have heard recently about a website that collects reviews of businesses based on their friendliness to MAGA hats. Well, it ends up that the site has some glaring security flaws, namely the developer’s credentials hard coded into the app and an api that doesn’t have any security on it whatsoever, allowing anyone to pull the entire user database.
Naturally the owner has responded in classic Trump fashion – deny that there is a problem, attack the security researcher for being politically motivated, and threaten to call the FBI.
(Mods, I apologize if this is too political for MPSIMS, wasn’t sure if it was heavy enough for any of the other forums).
Computer science is biased against conservatives. Everyone knows that.
To be fair, though, it’s generally considered poor form to go public with vulnerabilities unless you’ve first reported them privately to the vendor and given them time to fix them. On the other hand, these are so bad that I can see the argument that responsible disclosure was less important than warning users off the app.
ETA: I wonder how this guy felt when Trump called for the Russians to hack Clinton’s emails.
Responsible disclosure is a continuing debate. There are best practices (two I could find easily involve 90-day and 120-day deadlines), but the whole concept relies on the person being disclosed to (the developer) being willing to accept responsibility and fix the problems. Most developers are willing to do this, or perhaps have a reasoned debate over whether there is a security flaw to begin with (this gets complicated in practice sometimes), but the yahoos who developed this app are apparently unwilling to even countenance the idea that they did anything wrong.
And to be clear, this is what was discovered in this case:
[ul]
[li]Wallace had left his username, email, and a plaintext password in the code—twice.[/li][li]There is no authentication for any of the application programming interface calls, so someone could spoof any user—essentially giving them administrative access to the API.[/li][li]All of the APIs are clearly defined as URLs in the source code.[/li][li]By using the “Get user by ID” API call, someone could retrieve the user name, email, ban status, and other details on each user account. Passwords were not in this data, but the entire user database could be retrieved by iterating through all the possible first letters or digits of an account ID.[/li][li]Any user could be blocked using an HTTP Post to the “block” API.[/li][/ul]
Any one of those flaws is fatal to the security and usability of the app. The only thing the developers apparently did not do was leak their users’ plaintext passwords. They did everything else wrong, including making baseless legal threats to the person who discovered the holes.
Yeah, I’m not defending the bozos who “developed” this app. And I agree that the problems were so egregious that you can easily make a case that responsible disclosure should be viewed here about like Captain Kirk views the Prime Directive.
I didn’t read deeply in this case. Did the researcher contact the developer before going public? Clearly the post-disclosure reaction shows the developer to be an enormous douche and nincompoop. But I had the impression that the researcher didn’t contact the developer before disclosing.