Munin, Keeper of LoreApr 24, 2017

Hipchat has suffered an #infosec incident

https://blog.hipchat.com/2017/04/24/hipchat-security-notice/

They're blaming a "third party library" but, -extremely- annoyingly, have neglected to state which library it is - so be prepared to keep an eye out for other services having incidents in the future, if this isn't a case of hipchat having used something catastrophically out of date.

Show threadMunin, Keeper of LoreApr 24, 2017

Update: this is third-hand information, but a contact of mine at a competing organization who is organizationally familiar with the matter has been informed that the library in question has not yet been patched.

So the wumpus is out there, and we'll likely end up seeing a patch in...something get pushed out relatively soon.

Show threadMaiyannah BishopApr 24, 2017
@munin I wonder if we'll be seeing some "CloudBleed" shenanigans again.

I wonder if the Google PZ guy ever got his god damned t-shirt.  I mean he DOES deserve the highest honour Cloudflare's bug bounty program doles out.  (Which is a t-shirt)
Show threadMunin, Keeper of LoreApr 24, 2017
@maiyannah Oh, who can tell. Between the wormable SMB shenanigans from the 14th and this nonsense, it's gotten to be a very busy month.
Show threadMaiyannah BishopApr 24, 2017
@munin I just can't get over the t-shirt thing.  Way to show you take your bug bounty program seriously.
Show threadMunin, Keeper of LoreApr 24, 2017

@maiyannah Yeah, no kidding.

This gets into that whole politics around disclosure, but...it's my opinion that, if a vendor has no desire to work with folks who discover that kind of things, it's probably better for everyone that uncoordinated full disclosure take place.

Show threadocdtrekkieApr 25, 2017

@munin @maiyannah FWIW, Cloudflare was incredibly responsive in working with Project Zero to fix it as quickly as possible so they could also disclose it very quickly.

They definitely should consider a real bug bounty, but they're far from having "no desire to work with folks".

Show threadMaiyannah Bishop
@ocdtrekkie @munin Did you read GPZ reporters own account?  There was a lot of feet dragging here.
Apr 25, 2017 at 6:56amWeb
Show threadocdtrekkieApr 25, 2017

@maiyannah I did read it, but:

"The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes."

I hardly think a 7 hour fix on a Friday night is "feet dragging".

Show threadMaiyannah BishopApr 25, 2017
@ocdtrekkie Yeah, because they released it early when they didn't respond.
Show threadocdtrekkieApr 25, 2017
@maiyannah The Friday they were working on it was the exact same Friday that Tavis tweeted asking how to get a hold of Cloudflare. How fast is someone supposed to respond?
Show threadocdtrekkieApr 25, 2017
@maiyannah According to the Cloudflare blog's disclosure timeline, 21 minutes passed between said tweet from Tavis asking how to get in touch with Cloudflare, and Cloudflare getting the info about the flaw.
Show threadMaiyannah BishopApr 25, 2017
@ocdtrekkie sure, if "Your call is important to us, please hold" constitutes contact
Show threadocdtrekkieApr 25, 2017

@maiyannah https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

"I don't have any cloudflare contacts, so reached out for an urgent contact on twitter, and quickly reached the right people."

"After I explained the situation, cloudflare quickly reproduced the problem"

"Really impressed with Cloudflare's quick response"