Follow

PLEASE BOOST FOR VISIBILITY (reposting on this account too)

HACKERS: I have a request

A notable, widely-used dating app I've been reverse engineering exposes user's postcodes, addresses, and google placeid via the public feed, meaning anyone can find anyone's location.

This is disastrous as the app caters exclusively to LGBTQIIA people, potentially exposing them to harassment.

I have been working on a python API for this application, and I would like to release it into the open.

I have contact the staff and while they state they will respond in 72 hours, it has been over a week and they have not responded (They did get the email, because an automated email was sent back to me).

I cannot in good conscience publish this API at the moment, despite that I would very much like to add it to my CV, as it represents the only recent work I have done.

What do I do? Is there a place I can file a report for this kind of thing? A CVE seems a bit too harsh.

How can I get them to deal with this, while staying legally protected?

Any advice on this matter would be GREATLY appreciated.

ANY assistance by people versed in vulnerability disclosure would be GREATLY appreciated

Show thread

Happy to announce that the vulnerability has been fixed as of yesterday!

Thank you so much to everyone who boosted, favourited, and replied :)

Show thread

vulnerability disclosure, long 

vulnerability disclosure, long 

@thegibson @m4iler @alexandria For responsible disclosure to work the company has to care.

@thegibson Would it be ok if I CC you in to a private message with the (slightly redacted) initial message I sent out, and the proposed second email, I'm having to juggle several people here :)

@thegibson @m4iler That's good, but they're a handful-of-people startup. They barely have enough manpower to maintain the app

@alexandria @TheGibson @m4iler If you think they're acting in good faith and are merely understaffed|not understanding rather than callous or malicious, then tell them what you told us, and warn them that if they insist on not fixing their shit, you will go public.

This is very serious and creatures could get badly hurt. Being a small startup does not excuse this. The public needs to know.

@alexandria @TheGibson @m4iler If you want to be REALLY nice, you can offer to consult for them and actively help them develop a fix.

@alexandria Why is a CVE too harsh? Isn't that what a white hat hacker does?

@alexandria a CVE is probably not appropriate because it’s not a vulnerability in widely-used software, but in custom software only in use by them, if I’m understanding correctly.

Deadlines for vulnerability disclosures are most commonly 90 days, in my experience.

Is the company in the EU? If so, the Information Commissioner’s Office might like to know, but otoh be careful and do some research, because hacking laws aren’t always friendly to security research.

@qyliss Unfortunately the company is in the US. It's not custom software, the app is on the Google App Store and in use by a semi-large number of people.

@alexandria right, but presumably the vulnerability is not in their app, but the software running on their server, no?

@alexandria @qyliss report it to Google then and any data regulator for a country it's active in; especially if you can demonstrate it to an EU user

@alexandria a CVE is appropriate. Apps like this are putting in danger lifes of people. Don't care if this company fails, just care of people.

@alexandria You might be able to draw some info on how to proceed from this talk (it contains the story of how the speaker communicated with the corporation as well as the description of the bug): media.ccc.de/v/froscon2015-152

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.