I was browsing the website and got redirected to a random URL. Tracing the requests back I found that the redirect was caused by improperly sanitized html. The exploit more or less gives you an iframe worth of functionality. This allows for very sophisticated phishing.
Firefox is not vulnerable to this (You might be able to guess what the vuln is from that).
Now this actually pales in comparison to the 2nd exploit I found. I'm significantly less sure this works but I'm still pretty sure it will. I have only tested it out on the preview mode and not published.
The preview mode DOES sanitize(hits their server and comes back, basic stuff like <script> gets cleaned up). It just doesn't do a very good job at it. Now, they could have 2 different checks, one being more secure when publishing but this seems unlikely. I'm not really familiar with the applicable laws so I'm not willing to actually publish an attack to test.
The 2nd exploit allows me pretty much free reign on their page. More or less it lets you execute whatever javascript you want.
I have sent the company 2x messages through a form they have for reporting securities vulnerabilities. However I'm not even sure that they got through as I never received a confirmation email (it said one would be sent).
I tried calling as well but I just discovered it last night and I haven't gotten through to anyone who knows anything.
My conundrum is this is an EXTREMELY popular website. Top 100 on Alexa, 30bn+ market cap. If this vulnerability is actually real I'm not sure I'm comfortable sitting on the information for a prolonged period of time considering how easy it would be to exploit.
In the meantime I'm going to continue to try and contact the company but I'm not really sure what my next steps should be otherwise.
Does the company have a bug bounty policy?
No?
Then keep your mouth shut and get on with your life.
A significant percentage of people in power will react to unsolicited warnings of security vulnerabilities by attacking you as though you were their enemy. Worse, the law is at least not clearly on your side. This is not theoretical: people have come to significant harm in this way. Being a hero is great. Being a martyr? Not so much. You don't want next week's top HN story to be an appeal for donations to the legal defense fund of sah88.
As JCR wrote: "The safe and sane approach is to contact CERT [3,4] through their vulnerability reporting page [5] and let them contact the vendor."
[5] http://www.kb.cert.org/vuls/html/report-a-vulnerability/
All-in-all, don't tell people unless you have explicit, written proof of the companies consent to pentest their application because its simply not worth risking your entire life because someone in power's day is ruined by your curiosity.
Just keep your mouth shut or you will quite likely be sued. The only thing you should do is simply not just trust that particular company with your data anymore.
If the risk to public good is great enough and the bug simply must be revealed then it should be done anonymously and with full disclosure. Contacting the company will only give your address to them.
The OP said he used a form for reporting security vulnerabilities on the site. Does he still have to be afraid to get sued in such a case?
The safe and sane approach is to contact CERT [3,4] through their vulnerability reporting page [5] and let them contact the vendor. If you're curious, the CERT disclosure policy is good reading [6].
[1] http://www.wiretrip.net/p/libwhisker.html
[2] http://www.cert.org/vulnerability-analysis/vul-disclosure.cf...
[5] http://www.kb.cert.org/vuls/html/report-a-vulnerability/
[6] https://www.cert.org/vulnerability-analysis/vul-disclosure.c...
I tried calling but just got bounced around and I'm not sure anyone actually understood/cared. I've got a nice early season cold going so not really interested in sitting on the phone for hours so I've given up on that.
I'm going to email blast as many of the emails I can get and if I don't hear anything back from them by Monday I'll pass it onto CERT.
2) It's HIGHLY unlikely that you are the first person to discover this, especially if it's a top 100 site. Those sites are constantly probed by attackers looking for exploits precicely because they are so valuable. Something like XSS due to unsanitized input would he found quickly as there are automated tools that do exactly that. Just report it to CERT, as suggested.
3) You may have hit a honeypot.
The law is not on your side in most countries, there are honest security researchers in jail for doing things like this, so beware of your personal safety at all times.
If you already identified yourself and followed their security submission page and they did not follow up, then its best to leave it at that. Above all don't get in personal trouble because of this, it's not worth it.
If a house is on fire, don't be a hero. Call 911.
1. You haven't given them enough time to acknowledge it.
2. They are not acknowledging it to limit their liability. Suppose a black hat subsequently finds it and uses it to cause harm, and a victim sues. The acknowledgement to you could be used as proof that they knew about the bug before it was exploited.
You've done all you should do for now. You should now wait long enough for them to fix it. Take into account that there may be complications you are unaware of due to how their backend works, or due to how their development and testing is done, or how their bureaucracy works, so be generous.
Then check to see if the problem is still there. If it is, then go public anonymously, with just the technical details. Leave out the history of attempting to contact them (it could compromise your anonymity).
My problem is really the company should probably have 24/7/365 security support standing by given the industry. I sent in two reports but I never got a confirmation email for either. The original item(to emphasize I never published anything on the site, this item was posted by another user and I was actually interested in purchasing it until I got redirected) which I have reported by phone and by form is still up on their site redirecting users. This one redirect doesn't actually appear malicious though but I have no way of telling how many other items are affected. At some point I feel there is a moral obligation for me to disclose the information which leads me to my second problem.
I have no fucking idea if I'm just overly worried (judging by the comments it would seem so) about the vulnerability. I also have no real idea of how serious it is. But it seems to me that even if a fraction of a fraction of transactions are affected it would still amount to a large amount of stolen information.
What I would really like is for them to email me back and say either "Oh wow yeah thanks for catching that" or "God damn you dumbass, no that's not actually a problem because xyz"
I received an offer about 10 years ago, on a Friday evening, to sell me 100k stolen credit cards, and was given a sample of 10k stolen credit cards to show they were serious. I did some checking and determined that samples seemed real.
I called the FBI to report this. They were not interested, and suggested I try the Secret Service. I did, and they were not interested.
I tried a couple major credit card companies. One was not interested. One gave me an email address to forward the sample list and the full list offer to and said someone would look at it Monday morning.
[1] http://www.bbc.com/news/technology-29310042
They're not going to acknowledge any issue until they've patched it if they're smart.
Respectfully, this sort of fear is what holds the Internet back. You are incredibly unlikely to get sued unless: you are threatening to disclose publicly, you intentionally stole data from the site and are storing it now, you threaten to sell said stolen data to a journalist or anyone else, etc.
It costs companies, generally, a lot of money to sue someone. They aren't interested in doing it unless you seriously piss them off or actually cause their business/revenue harm.
If you are not weev, trolling them publicly and saying you'll sell their data, you can likely disclose and be fine. Just be nice about it.
By being nice, I have disclosed hundreds of vulnerabilities over the years, in this manner. Sometimes they even let me write a blog post about it afterward.
If you want, email me and we can discuss in more detail. Email is in my profile.
tl;dr: find someone to contact via LinkedIn or email (CISO or CTO usually works well), be incredibly nice and non-threatening about it, and you'll be fine.
I'm a kind person, but my #1 obligation is to my family, not random internet website users.
Internet can not ever be risk free. You post data online, you can expect a low probability of it getting lost / stolen. You're fine with that, because most data is actually not that private, and because you somehow benefit from posting it online.
Security vulnerability reporting must be risk free, because it's possible for it to be. You just need a proper law.
Do this with technical people, but also with it managers from the company and its worth sending it to the CEO.
Explain what are the risks (is it persistent xss visible by other users in a forum etc)
These things are only important until some manager says they are important, so try to explain the business and public image risk of the exploit to a high level manager via linkedin in non technical terms, ideally with a demo. If they forward the email to the it department i bet that then they would act.
Last case if responsible disclosure doesnt work after 3 /6 months: public disclosure via some news site. All of the sudden it gets fixed in two days, they end users end up being better off in the long term.
Unpatched exploits that stay there for years are the bread and butter of hackers, and the short term risk introduced by the public disclosure is compensated by the fact the users get protected in the end.
Or if they don't respond at all, immediate public disclosure. If that's how they want to play the game, then let's play.
Be wary if they ask for your name straight away because companies have been known to sue.
"So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special."
Linus Torvalds Tue, 15 Jul 2008
Give them 28 days, then pastebin it and stick on reddit.
But now you can't do a thing because they know who you are and will sue you so forget about it and stop using their products.
Every day they possibly get hundreds of emails to their security@ email address. The vast majority of it breaks down into categories of spam and support requests. Then when you have removed that you are left with a pile of "security disclosures", the vast majority of which are a very poor standard, or generated by some sort of scanner software that's returning garbage results.
After this gets filtered the remainder are legitimate issues that need to be investigated. Bear in mind you might not get one of these for weeks and weeks, but you still have to filter the other hundreds of emails.
For all but the largest internet companies (think apple and google), they can't afford to tend to this filtering process 24/7. So this happens Mon-Fri during business hours, and if it's a legitimate report it will make its way to a security engineer.
So, what am I getting at? You've taken the right steps to report this. What you have described sounds like a vulnerability, who knows how long its been there. Given that and the nature of the vulnerability, the likelihood of this been exploited over the coming days sounds low. So we don't have to go to DEFCON 5 just yet. Don't expect companies to react to these reports within hours or over the weekend, theres just too much noise to make this sort of thing feasible. Please give the company a chance to do their thing, this could take a business day or two, just to get acknowledged. And another couple of days to patch (depending on the technical difficulty).
By the way, this is pretty much outlines the value proposition of the Hacker One service[1] and why companies should use them. As bug bounties become more popular, the long tail of garbage security reports will increase and so will the overhead cost to run one of these programs effectively (quick response times, qualified engineers triaging the inbound queue, etc.).
You stated that you send them two messages via a form dedicated to reporting securities vulnerabilities and even tried to call them. I think you have done more than enough and can relax and wait. (Don't bombard them with too many emails.)
Some in these comments say that you might get sued. As long as you don't publish or threaten to publish the vulnerability, I don't see that happening (but than again IANAL).
It is always exciting when you find (your first) vulnerabilities on "high value" targets, but in the end of the day a laymen might not realize that most of the websites even in the Top 100 on Alexa have some security problems.
If you personally use the site and fear for your security, you may want to try a bit harder. For example I have tried multiple times to let my bank know about a vulnerability, but never got a satisfactory answer.
