Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Responsible Disclosure and Timeframe for Fix

  • 22-08-2014 6:14pm
    #1
    Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭


    Without giving too much away, what is an appropriate time you should allow companies to fix a vulnerability, before going public?

    2 Months Ago: I went through proper channels to report a stupid but serious case of returning customer data on a public API with no identity verification.

    1 Month Ago: Official government channel "finds" my "lost" email and says they've informed the company and are giving them a "chance to respond", which I find a bit silly

    Now: Checked the API again - not fixed, Government channel says company hasn't responded. Gov. channel says it has no intention of upping pressure, tells me to call back next week.

    Given that the fix is stupidly simple I'm furious that it's been left open for a whole month. Am I justified in going public with the existence of the leak (i.e. non-specific details) and naming and shaming?


Comments

  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    I would, I'd be bold about it to.

    Wait and see what others say about potential comeback on you though first.

    Theirs a thread in here about this...somewhere.


  • Registered Users, Registered Users 2 Posts: 27,370 ✭✭✭✭GreeBo


    whats the impact to real people if the service has to be shut down until fixed?


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    GreeBo wrote: »
    whats the impact to real people if the service has to be shut down until fixed?
    Less than if the wrong person finds the bug I'd imagine...customer data.

    Here's a previous thread. Didn't read it yet.


  • Registered Users, Registered Users 2 Posts: 1,110 ✭✭✭Skrynesaver


    I was on the receiving end of a notification once from a security researcher who told us about an XSS vulnerability in our front end. The researcher contacted our client first, who in turn contacted us and provided us with contact detailss of the researcher. We got in touch and I worked with them to resolve our issue.

    We released a field service bulletin to our customer base and provided free upgrades at which point we released a white paper on the vulnerability with the researcher.

    The entire process from notification to white paper took under 3 months.


  • Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭dalta5billion


    GreeBo wrote: »
    whats the impact to real people if the service has to be shut down until fixed?

    They have to edit what is returned in the JSON to not include private data. Two-second fix, literally. The information returned isn't fundamental to customer's use of service, so shutting down endpoint for repair would have little effect.

    It's a big national company.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭dalta5billion


    Company has just put a javascript "service down for essential technical upgrade" message up. The page itself is still making ajax calls to the API, which still returns the customer data, sigh... :rolleyes: Maybe they're still in the process.

    When it's fixed I'll tell ye's more.


  • Moderators, Society & Culture Moderators Posts: 9,768 Mod ✭✭✭✭Manach


    Offhand, based on the data protection regulation that is being proposed the EU, the term being bandied about would be within a reasonable timeframe. Which does make the same sense as how long is a piece of string. Still, the longer the chance that personal customer data (normal or sensitive) might be at risk, the more non-optimal it would appear to an assessor from the DPC or the client's representatives.


  • Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭dalta5billion


    ARRRGGGGHHHHHHH

    Company has *removed*! the "down for essential repairs" message and their API remains public!

    I'm rapidly losing faith in doing responsible disclosure via the DPC, next time I'm going via a journalist. Companies getting lucky with a responsible person notifying them and not a malicious person shouldn't give them the right to take their sweet fúcking time with fixing the REALLY SIMPLE PROBLEM.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    Unfortunately, most of time, no one gives a sh1t about this kind of thing until something bad happens.

    If its national and contains a large amount of customer data then I would definitely consider going to a journalist.


  • Registered Users, Registered Users 2 Posts: 27,370 ✭✭✭✭GreeBo


    Less than if the wrong person finds the bug I'd imagine...customer data.

    Here's a previous thread. Didn't read it yet.

    Well if it prevented others from doing business then it might not be worth it, hence the question.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,917 ✭✭✭B00MSTICK


    Here's a pretty good example of a company dragging their heels http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/

    The author went public and suddenly there was a fix for the so-called not-a-vulnerability.


  • Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭dalta5billion


    Keyzer wrote: »
    Unfortunately, most of time, no one gives a sh1t about this kind of thing until something bad happens.

    If its national and contains a large amount of customer data then I would definitely consider going to a journalist.

    The customer data isn't the obvious name address credit card type stuff, it's more supplemental data of specific use to technical people, so journalists probably wouldn't see it as newsworthy. People who would doubtlessly like to exploit the data as it is though are: marketing companies, intelligence companies/agencies, russian scam artists.

    I'm due to call DPC tomorrow for an update. If they're unwilling to get them to pull it down immediately, I'll seriously have to consider my options.


  • Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭dalta5billion


    I'm bloody well sick of this, here's the full disclosure.

    2nd July 2014

    I wanted to know where Eircom's eFibre order page was getting its details on maximum line speeds from. So seeing as it was all ajax-ey I took a look at the Chrome developer network tab.

    jq6XWW8.png

    There was a ton of private info that could be returned based on just a landline, including information on landlines not listed in the phonebook. Here's a redacted sample of it for my landline number, concerning details bolded:
    
    https://[REDACTED]/[LANDLINENUMBER]
    
    
    <?xml version="1.0"?>
    <search_result xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    [B]<ARD_ID>*****</ARD_ID>
    <UNIT_NO/>
    <UNIT_NAME/>
    <BUILDING_NO>*</BUILDING_NO>
    <BUILDING_NAME/>
    <STREET_NAME_TOWN>********* *******</STREET_NAME_TOWN>
    <POSTAL_DIST_NAME>*******</POSTAL_DIST_NAME>
    <COUNTY_NAME>**********</COUNTY_NAME>[/B]
    <SITE_CODE>***</SITE_CODE>
    <STD_CODE>**</STD_CODE>
    <TELE_NUMBER>******</TELE_NUMBER>
    </search_result>
    
    
    https://[REDACTED]/[ARD_ID]
    
    <?xml version="1.0"?>
    <search_result xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <ARD_ID>*****</ARD_ID>
    <UNIT_NO/>
    <UNIT_NAME/>
    <BUILDING_NO>*</BUILDING_NO>
    <BUILDING_NAME/>
    <LOCATION>********</LOCATION>
    <POSTAL_DISTRICT>********</POSTAL_DISTRICT>
    <COUNTY>*******</COUNTY>
    <CAB_RFO_DATE/>
    <MAX_HSI>**M_**M_R</MAX_HSI>
    <MAX_NRA>**M_**M_FR</MAX_NRA>
    <FIBER_TYPE>FTTC</FIBER_TYPE>
    [B]<CABINET_NO>*****</CABINET_NO>[/B]
    <NGA_EXCHANGE>****</NGA_EXCHANGE>
    <COPPER_EXCHANGE>*****</COPPER_EXCHANGE>
    <PHONE>**********</PHONE>
    </search_result>
    
    
    https://[REDACTED]/[LANDLINENUMBER]
    
    {
      "product": "BB NGA FTTx RES",
      "profileCode": "**M_**M_R",
      [B]"bitstreamId": "***1_***A eth **\/**\/**",[/B]
      [B]"socCode": "*****",
      "ossOwner": "**-**",
      "staticIpFlag": "N",
      "staticIp": "",
      "isFibreCustomer": true
    [/B]}
    
    https://[REDACTED]/[LANDLINENUMBER]
    
    
    {
      "county": null,
      "postalDistrict": null,
      "address": null,
      "fullAddress": null,
      "ardId": null,
      "date": null,
      "maxHSI": "**M_**M_R",
      "maxNGB": "*M_***K_R",
      "maxNRA": "**M_**M_FR",
      "maxDSL": null,
      "exchangeCode": null,
      "cabinet": "***1_***",
      "isNGA": true,
      "isNGB": true,
      "isActive": true,
      "isTownEnabled": null,
    [B]  "isCustomer": true,
      "isFibreCustomer": "true",
      "isBroadbandCustomer": true,[/B]
      "validationType": "phone",
      "phone": "***",
      "error": null,
      "processing": false
    }
    
    
    
    


    So after much musing over the issue of how to let Eircom know their web developer didn't understand the security difference between client-side code and server-side code, I decided to report the matter through the Data Protection Commissioner, so as Eircom couldn't get away scott-free with such lazy leaking of customer data.

    Date: Wed, 2 Jul 2014 17:08:49 +0100
    Subject: Responsible Disclosure of Data Leaking on Eircom Website
    From:
    To: DPC Info <info@dataprotection.ie>

    Dear Sir/Madam,

    I write to inform you that the eircom website is currently leaking private
    information associated with landline telephone numbers.

    When a person checks their landline number for an upgrade to 'eFibre', at
    https://www.eircom.net/broadband/productDetails?id=bu_23 , a number of
    asynchronous client-side calls are made to eircom's APIs, returning data
    about that landline. This is so eircom can tell the customer what speed
    they can expect to get with the product.

    However, the API calls return more data than just the line speed. They
    return the following sample of concerning information as well.


    - *Full address associated with the landline*
    - *The serial number of the street cabinet the landline is connected to*
    - *Whether the landline is a customer or not.*


    This can easily be abused.


    Here are example API calls for my landline number (), although an
    adversary can substitute whatever number they want.

    =================================================


    [I included samples of the data for my landline here, and provided clickable URLs to allow DPC to verify it]

    =================================================


    =================================================


    Yours sincerely,

    [ME]



    Subject: Acknowledgement of your e-mail to the Data Protection Commissioner
    From: "Info" <info@dataprotection.ie>
    Reply-To: info@dataprotection.ie
    Auto-Submitted: auto-generated
    To:
    Message-ID: <[REDACTED]@justice.ie>
    Sender: "Stewart P. Fennell" <SPFennell@dataprotection.ie>
    Date: Thu, 3 Jul 2014 08:49:58 +0100

    To Whom It May Concern

    I acknowledge receipt of your e-mail to the Data Protection Commissioner.
    Where your email relates to a query (as distinct from a formal complaint
    under the Data Protection Acts),
    you should be aware that in line with our Customer Service Charter we aim
    to reply within 15 working days and usually much sooner.
    In doing so, we will communicate clearly, providing you with a full
    response to your query.

    If we are not in a position to issue a reply within that period, we will
    inform you of its status.Regards

    Office of the Data Protection Commissioner
    Canal House
    Station Road
    Portarlington
    Co. Laois
    Date: Wed, 23 Jul 2014 18:54:08 +0100
    Subject: Regarding Email Sent July 2nd 2014
    From:
    To: DPC Info <info@dataprotection.ie>

    Dear Sir/Madam,

    I sent an email to your office 'Responsible Disclosure of Data Leaking on
    Eircom Website' on July 2nd.

    15 working days have now elapsed, and the security hole still exists.

    Regards,

    [ME]


    After my follow up email I received a phone call from a case officer at the DPC. He apologised for the delay and said my email had only now been forwarded to him. He said he would send details of the problem to Eircom, and "tell them to fix it or we'll have to prosecute them".

    I was happy enough with this.

    Weeks later nothing had changed on Eircom's side. I rang the DPC again, was told we had to give Eircom a chance to respond.

    Blah blah blah more calls. I realised I needed to put my consternation in writing.

    Date: Tue, 19 Aug 2014 23:22:12 +0100
    Subject: To Be Forwarded to [CASE OFFICER] Re: Eircom
    From:
    To: DPC Info <info@dataprotection.ie>
    Content-Type: text/plain; charset=UTF-8

    Hi [REDACTED],

    It concerns me that as of now Eircom continue to leak private customer data
    via a public API.

    I would appreciate any update on this matter.

    Regards,

    [ME]


    Badabing badaboom, a few days later Eircom put up this ajax error message:


    hHTfBPy.png


    Fina-fúcking-ly. (I posted my ill-founded relief this on this thread).

    As it turned out, Eircom had something better to do than protect its customers' data, and nothing had changed.

    Rang case officer at the DPC once again, told me he was sending an email with 24-hours threat to Eircom. (In my opinion the 24-hours threat should have been bloody months ago).

    Checked it today, and Eircom have finally consolidated everything into one AJAX call.
    
    {
      "ardId": "***",
      "cabinet": "***",
      "exchangeCode": "***",
      "isBroadbandCustomer": true,
      "isCustomer": true,
      "isFibreCustomer": true,
      "isNGA": true,
      "isNGB": true,
      "maxHSI": "**M_**M_R",
      "maxNGB": "*M_***K_R",
      "maxNRA": "**M_**M_FR",
      "phone": "***-*****",
      "validationType": "phone",
      "completed": true,
      "partialAddresses": [
        
      ],
      "isRedCustomer": false,
      "isNeighborAddress": false
    }
    
    

    Oh well, at least the landline->address lookup API is gone. Right?

    .
    .
    .
    .
    .
    .
    .
    .
    .


    Nope, they haven't taken any of the old API calls offline.


    GRRRRRRRRRRRR

    All the signs point to that I should have just shut up about it, built a reverse marketing directory and sold it to Indian scammers.

    Attached is Eircom's old javascript (publicly available by the way) with evidence of their idiocy regarding APIs (a full list of endpoints). Hopefully they'll cop on some day if we shame them.


  • Closed Accounts Posts: 6,925 ✭✭✭RainyDay


    Good work dalta - it might be worth getting on to some journalists - Karla Lillington, Conor Pope spring to mind, or maybe even Joe Duffy if you fancy trying to explain an API to Joe? Unfortunately, that seems to be the only way that some things change round here.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Folks - The Eircom reps on boards have dropped me a PM. They will be by shortly to discuss (and hopefully resolve) this issue.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Khannie wrote: »
    Folks - The Eircom reps on boards have dropped me a PM. They will be by shortly to discuss (and hopefully resolve) this issue.
    I'll just leave this here. Add a few more later maybe.


  • Closed Accounts Posts: 2,226 ✭✭✭eircom: Tony


    Thanks Khannie and dalta5billion

    We sent your post for comment and have been advised that access to the legacy api and reverse directory lookups have been removed and are no longer possible.

    We are looking at all other areas to ensure that there are no other data protection issues.

    We do appreciate your bringing this to our attention and can assure you all security issues are taken very seriously.

    Thanks to Mods here for permitting our response and if you do have further queries on this we will do our best to get you a response.

    Tony


  • Registered Users, Registered Users 2 Posts: 1,034 ✭✭✭dalta5billion


    Thanks Khannie and dalta5billion

    We sent your post for comment and have been advised that access to the legacy api and reverse directory lookups have been removed and are no longer possible.

    We are looking at all other areas to ensure that there are no other data protection issues.

    Good.
    We do appreciate your bringing this to our attention and can assure you all security issues are taken very seriously.

    >30 days. That's how long eircom left this security issue open after receiving the initial full disclosure. And the only reason it hasn't been longer is because I was forced to disclose it publicly.

    Of course you will be soon be issuing a press release informing all landline owners that their private data was left open to anyone by Eircom for an extended period of time, because all security issues at Eircom are taken very seriously, right?


  • Banned (with Prison Access) Posts: 5,575 ✭✭✭AlanS181824


    Wow Dalta, just finished reading this thread and I have so much new found respect for you.

    You found a pretty serious issue and you reported it and had it fixed, you could've easily exploited it and used it for marketing purposes but you didn't.

    I hope Eircom gave you a years worth of free broadband for sorting a massive security flaw on their behalf! :pac:


  • Registered Users, Registered Users 2 Posts: 237 ✭✭MichealKenny


    Mirroring what Alan said, much respect to dalta for going through all the correct channels as much as possible and getting this solved.


  • Advertisement
  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    FBI Pays Visit to Researcher Who Revealed Yahoo Hack
    Jonathan Hall was trying to help the internet. Earlier this week, the 29-year-old hacker and security consultant revealed that someone had broken into machines running inside several widely used internet services, including Yahoo, WinZip, and Lycos. But he may have gone too far.

    Hall—the president of a security firm called Future South Technologies—went out of his way to spotlight a network of compromised computer servers that, he says, are controlled by Romanian hackers. He published his findings on his blog, saying he simply wanted to help these companies clean up a nasty computer problem. But with his aggressive investigation, he may have run afoul of the nation’s anti-hacking law, the Computer Fraud and Abuse Act, or CFAA.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    But with his aggressive investigation, he may have run afoul of the nation’s anti-hacking law, the Computer Fraud and Abuse Act, or CFAA.


    ^^^
    US says it can hack into foreign-based servers without warrants

    :rolleyes:


  • Registered Users, Registered Users 2 Posts: 9,560 ✭✭✭DublinWriter


    Good work OP!

    The data-breach notification time frame for ISPs and Telcos only is set out under the 2013 European Commission Regulations.

    https://www.dataprotection.ie/secur-breach/


Advertisement