PLEASE BOOST FOR VISIBILITY (reposting on this account too)
HACKERS: I have a request
A notable, widely-used dating app I've been reverse engineering exposes user's postcodes, addresses, and google placeid via the public feed, meaning anyone can find anyone's location.
This is disastrous as the app caters exclusively to LGBTQIIA people, potentially exposing them to harassment.
I have been working on a python API for this application, and I would like to release it into the open.
I have contact the staff and while they state they will respond in 72 hours, it has been over a week and they have not responded (They did get the email, because an automated email was sent back to me).
I cannot in good conscience publish this API at the moment, despite that I would very much like to add it to my CV, as it represents the only recent work I have done.
What do I do? Is there a place I can file a report for this kind of thing? A CVE seems a bit too harsh.
How can I get them to deal with this, while staying legally protected?
Any advice on this matter would be GREATLY appreciated.
ANY assistance by people versed in vulnerability disclosure would be GREATLY appreciated
Happy to announce that the vulnerability has been fixed as of yesterday!
Thank you so much to everyone who boosted, favourited, and replied :)
vulnerability disclosure, long
@alexandria I have experience on the vulnerability disclosure group of a security consulting company if you want to ask questions. (Feel free to DM.) The answers are probably not things you'll be happy with, unfortunately. 😞
For hosted services, there aren't many third parties that are interested besides maybe news organizations (I can give suggestions, but I wouldn't necessarily recommend this route because you don't have much control). The best option is for the service to fix things, but it sounds like that isn't going as fast as you'd like. It can help to say "I'm planning to publish this on April 11th, let me know if you have any comments". It's polite to provide a copy of the disclosure at that time. (I recommend giving 30 days' notice just as a general guideline, but that's up to you.)
vulnerability disclosure, long
@aschmitz Honestly the fix would be very easy server-side, they just need to filter out some JSON fields before returning the information.
I'll take that onboard and might throw you a dm :)
Have you heard the gospel of responsible disclosure?
@thegibson Would it be ok if I CC you in to a private message with the (slightly redacted) initial message I sent out, and the proposed second email, I'm having to juggle several people here :)
@alexandria sure thing
@alexandria @TheGibson @m4iler If you think they're acting in good faith and are merely understaffed|not understanding rather than callous or malicious, then tell them what you told us, and warn them that if they insist on not fixing their shit, you will go public.
This is very serious and creatures could get badly hurt. Being a small startup does not excuse this. The public needs to know.
@alexandria Why is a CVE too harsh? Isn't that what a white hat hacker does?
@alexandria a CVE is probably not appropriate because it’s not a vulnerability in widely-used software, but in custom software only in use by them, if I’m understanding correctly.
Deadlines for vulnerability disclosures are most commonly 90 days, in my experience.
Is the company in the EU? If so, the Information Commissioner’s Office might like to know, but otoh be careful and do some research, because hacking laws aren’t always friendly to security research.
@qyliss Unfortunately the company is in the US. It's not custom software, the app is on the Google App Store and in use by a semi-large number of people.
@alexandria right, but presumably the vulnerability is not in their app, but the software running on their server, no?
@alexandria You might be able to draw some info on how to proceed from this talk (it contains the story of how the speaker communicated with the corporation as well as the description of the bug): https://media.ccc.de/v/froscon2015-1524-lies_damned_lies_and_scans
@alexandria take it to the press. and/or lawyer up!
A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.