dbk

Hello Mastodon! I haven't really posted anything here since I'm socially awkward but I come with a cry for help.

I am not a security professional (although I strive to be), just an engineer so I need some advice. I found an unprotected endpoint on one of the sites I use daily for my business that allows read access to all documents, regardless of who they belong to. I disclosed the vulnerability with the company that owns the platform and their dev team is already working on a fix. The thing is, their OpSec is pretty much non-existent and I lack the knowledge to know what to do here. Is this something that should be disclosed to the public after it's patched? I also want to recommend they check their logs to see if someone has exploited this before, but I lack the confidence lol.

Could anyone tell me how I should recommend they handle this? Is this maybe something I should NOT do?

Thank you lovely people :)
#opsec #redteam #vulnerability #disclosure #infosec

Dec 20, 2022 at 9:09amWeb
Show threaddbkDec 20, 2022
tl;dr with some fuzzing you have read access to all financial records any client of the platform might have
Show threadJerry 🦙💝🦙Dec 20, 2022
@deathbyknowledge does your employer have a contract with them? If yes, it may be more complicated.
Show threaddbkDec 20, 2022
@jerry no, sorry forgot to mention I'm a contractor. So it's just me as a self-employed person using their services
Show threadjfkDec 20, 2022
@deathbyknowledge @jerry You could report it to your appropriate security authority (e.g., in Germany that would be @bsi). They can usually evaluate how critical the vulnerabilty is, and may be able to help you coordinate a responsible disclosure.
Show threaddbkDec 20, 2022
@jfkimmes @jerry @bsi perfect, will do the research. Thanks!!!
Show threadDavid SenkDec 21, 2022
@deathbyknowledge @jerry this has been a hard one for me in the past…
Sometimes it is almost impossible to get anyone to understand that there is actually a problem there.
Breaking it yourself to prove there is a problem puts you in a bad spot, and public disclosure can harm a lot of innocent bystanders… because it’s almost impossible to get anyone to understand there is even a problem.
The most moral thing to do may be to demand a fix and leave (if required).
Show threadZebra NorthDec 20, 2022

@deathbyknowledge Hi! Not an infosec guy but I have found myself in your situation a couple of times. My advice is to not push the issue too much - you've alerted them to it, and that's all you can do.

Some companies can be combative and will accuse you of hacking them, and what you did was technically illegal (yes really).

Show threaddbkDec 20, 2022

@ZebraNorth Thanks for the tip. They have not been combative at all so far, but you never know.

The only urge I have is... my data is there too. I'd like to know if it has been compromised :/