Company Storing Families' Personal Data Blocks Users/Researchers Informing It Of A Security Flaw
from the blockchain,-but-for-ignoring-your-problems dept
It must be repeated over and over: people who discover security flaws and report them are not the enemy. And yet, company after company after company treat security researchers and concerned users like criminals, threatening them with lawsuits and arrests rather than thanking them for bringing the issue to their attention.
Kids Pass — a UK company providing discounts for families attending restaurants, theaters, and amusement parks — had a problem. Any user could access any other user’s personal information just by altering numbers linked to user IDs in the URL. A concerned user told security researcher Troy Hunt about the flaw. (via Boing Boing)
[J]ust this weekend I had a Twitter follower reach out via DM looking for advice on how to proceed with a risk he’d discovered when signing up to Kids Pass in the UK, a service designed to give families discounts in various locations across the country. What he’d found was the simplest of issues and one which is very well known – insecure direct object references. In fact, that link shows it’s number 4 in the top 10 web application security risks and it’s so high because it’s easy to detect and easy to exploit. How easy? Well, can you count? Good, you can hack! Because that’s all it amounted to, simply changing a short number in the URL.
Here’s the example the user passed on to Hunt:
Hunt told the user to stop doing anything — including accessing other users’ information — and immediately inform the company. The user did as instructed, contacting the company via Twitter direct message. Shortly thereafter, the user informed Hunt Kids Pass had blocked him on Twitter.
Hunt then made an attempt to speak to someone at Kids Pass… only to find out he had been blocked as well, most likely for having the gall to retweet the concerned user’s message about the security flaw.
The responsible, ethical approach — notifying a company of a security flaw as soon as possible — was being treated like some sort of trollish attack on Kids Pass’ Twitter account. From all appearances, the company simply wanted everyone to shut up about the flaw, rather than address the concerns raised by userw.
It was only after Hunt asked his followers to contact the company on his behalf that Kids Pass finally unblocked him and told everyone the “IT department was looking at it.”
The belated reaction doesn’t make up for the initial reaction. And Kids Pass has shown it has little interest in addressing security flaws until the problem becomes too public to ignore. Hunt points to a blog post by another security researcher who informed Kids Pass last December about its insecure system — including the fact it sent forgotten passwords in plaintext via email to users. He heard nothing back, finally publishing his discoveries in July.
If you want people to be good web citizens and report breaches and flaws, you can’t treat them like irritants or criminals when they do. Securing users’ personal info is extremely important, but some companies seem to feel they should be able to handle it however they want and mute/sue/arrest those who point out how badly-flawed their systems are.