Company Storing Families' Personal Data Blocks Users/Researchers Informing It Of A Security Flaw
from the blockchain,-but-for-ignoring-your-problems dept
It must be repeated over and over: people who discover security flaws and report them are not the enemy. And yet, company after company after company treat security researchers and concerned users like criminals, threatening them with lawsuits and arrests rather than thanking them for bringing the issue to their attention.
Kids Pass — a UK company providing discounts for families attending restaurants, theaters, and amusement parks — had a problem. Any user could access any other user’s personal information just by altering numbers linked to user IDs in the URL. A concerned user told security researcher Troy Hunt about the flaw. (via Boing Boing)
[J]ust this weekend I had a Twitter follower reach out via DM looking for advice on how to proceed with a risk he’d discovered when signing up to Kids Pass in the UK, a service designed to give families discounts in various locations across the country. What he’d found was the simplest of issues and one which is very well known – insecure direct object references. In fact, that link shows it’s number 4 in the top 10 web application security risks and it’s so high because it’s easy to detect and easy to exploit. How easy? Well, can you count? Good, you can hack! Because that’s all it amounted to, simply changing a short number in the URL.
Here’s the example the user passed on to Hunt:
Hunt told the user to stop doing anything — including accessing other users’ information — and immediately inform the company. The user did as instructed, contacting the company via Twitter direct message. Shortly thereafter, the user informed Hunt Kids Pass had blocked him on Twitter.
Hunt then made an attempt to speak to someone at Kids Pass… only to find out he had been blocked as well, most likely for having the gall to retweet the concerned user’s message about the security flaw.
The responsible, ethical approach — notifying a company of a security flaw as soon as possible — was being treated like some sort of trollish attack on Kids Pass’ Twitter account. From all appearances, the company simply wanted everyone to shut up about the flaw, rather than address the concerns raised by userw.
It was only after Hunt asked his followers to contact the company on his behalf that Kids Pass finally unblocked him and told everyone the “IT department was looking at it.”
The belated reaction doesn’t make up for the initial reaction. And Kids Pass has shown it has little interest in addressing security flaws until the problem becomes too public to ignore. Hunt points to a blog post by another security researcher who informed Kids Pass last December about its insecure system — including the fact it sent forgotten passwords in plaintext via email to users. He heard nothing back, finally publishing his discoveries in July.
If you want people to be good web citizens and report breaches and flaws, you can’t treat them like irritants or criminals when they do. Securing users’ personal info is extremely important, but some companies seem to feel they should be able to handle it however they want and mute/sue/arrest those who point out how badly-flawed their systems are.
Filed Under: security, shooting the messenger, troy hunt, uk, vulnerability
Companies: kids pass
Comments on “Company Storing Families' Personal Data Blocks Users/Researchers Informing It Of A Security Flaw”
The problem is companies see no point in creating an easy way for researchers to inform them.
Becki who runs social media, thought it was just someone trolling & blocked & blocked & blocked until someone higher up the food chain noticed.
If I was running a company, I would reach out to the top researchers & provide them with special email address that set off every screaming alarm in the the place.
I think part of the problem is the MBA thought of it will cost us X to fix or Y to provide credit monitoring. Y is less than X, so why bother to fix? There are very few laws on the books that actually punish companies who were informed & ignored the problem until the worst happened. The company buys a bulk monitoring contract, rebrands, sweeps the error out of sight & moves on.
You’d think consumers would avoid companies with bad track records, and then you see how many users Sony still has after all of the times they were hacked & screwed consumers with their bad practices.
Consumers need to care more, the law needs to remind companies this is their duty not just a mop up after the fact.
Re: Re:
Criminal laws, no. But irresponsible handling of confidential data creates enormous civil liability.
Given how the UK has completely lost their collective minds over even the faintest hint of pedophilia, you’d think that companies would do everything in their power to avoid a headline of “CompanyNameHere makes it easy for pedophiles to get at your kids!”
Re: Re: Re:
Sony was hacked 23 times, customer data exposed quite often… they paid no fines, denied the hacks (as the hacks were still happening), and did very little to correct the problems.
If they had been slapped with a fine as well as being forced to provide credit monitoring it might have motivated them to actually secure their systems globally.
Re: Re:
“If I was [sic] running a company, I would reach out to the top researchers & provide them with special email address that set off every screaming alarm in the the place.”
That’s ridiculous, since the vast majority of flaws aren’t found by “top researchers.” (And who are all these mysterious “top researchers” anyway? Do you need to know the secret “top researcher” handshake to join that club?)
How ’bout you just use basic customer service skills and, if someone tells you they found a flaw, you investigate it?
Re: Re: Re:
Companies don’t want to hear about flaws in their service, security related or otherwise. I’ve reported verifiable problems to web sites and not only do I never hear back from them, they never fix the problems either.
Speaking of laughable web security, many years ago, before "hacking" became such a big deal, I discovered that the members section of one adult web site was completely accessible to anyone who knew the URL. Their preview images linked to files in the members section and if you just erased the filename from the URL, you got a raw directory listing that you could browse. Click on the HTML files and you had access to the paid section of the site. Apparently they relied on security through obscurity where the directories weren’t protected, but you only got the URL for them after you signed in. If you knew the URL already you could just bypass the login page.
I never told them though. It was a small site with not much content, that stopped updating after a while and then eventually just disappeared.
Even today, you can sometimes access additional preview images by altering the numbers on the filenames. There’s one celeb blog that posts daily photos, but only the ones from the last couple of months are linked to full-sized versions. However by comparing the URLs for the thumbnail and the full-sized photos, I discovered that you can get the large versions of all the past photos just by changing one word in the URLs.
Even with these flaws, I’d wager that the sites are safe from 99% of the users today, since manually altering an URL is akin to brain surgery for most people. Most users don’t have the faintest clue what the parts of an URL mean. In fact, even though they probably type in URLs occasionally, I’d be surprised if it even dawns on them that they can manually edit an URL that’s placed in the address box automatically when they click on a link. Most people don’t even know the difference between the address box and the search box. "I typed it exactly like you said and when I hit Enter, I get a bunch of stuff on the screen. The top one says SPONSORED RESULT, is that the one you want me to click on?"
Re: Re: Re:
Actually I interact with a few of them.
Oh look at the story… random researcher tried, got slapped away, reached out to Troy Hunt… that would be someone I’d give that email too. And Krebs & SwiftonSecurity
The problem is Becki who runs the social media has no business trying to understand the problem & deciding if it should go up the tree. Longtime TD readers will remember the social media runner for a company who demanded someone reporting an issue detail the hack & how it works on twitter in the open.
I want my social media team to be just that with the style & quick wit of the wendys team… I don’t need them to also have white hat certification.
Re: Re: Re: Re:
The whole point of having senior co-workers, supervisors, managers, bosses is to have someone to pass a problem on to that you don’t understand. You don’t need to decide to pass it on. If Becki doesn’t understand or have doubts, she should do it without thinking.
It doesn’t take much training to say "if you get a complaint/incident that has any of the words security, hack, accessing other users information, privacy concerns, holes, I can do something I don’t think I should be able to or other similar terms, you escalate it." You don’t need to understand it if you are low-level customer service, just pass it on to someone more senior for them to assess it. Customer service deals with and handles routine queries and issues – forgotten password, how do i do …, what benefits does this option give me, how much discount do i get, and so on. Anything outside that should be passed up the tree, because that’s what a tree (or pyramid) structure is for.
Kidspass
Written by 10 year olds for 10 year olds…
A whisper to the front or a knife in the back
As always if companies are dead-set in punishing those that are trying to help them they’re not actually making their products/services more secure, they’re just ensuring that the security vulnerabilities that they would have been informed of are found by those that aren’t so altruistic.
A reputation of attacking those that try to help in a quiet and open manner also opens up the possibility of someone running across a significant vulnerability and deciding that they’ll anonymously make it public in general, leaving the company scrambling to deal with the issues that brings rather than being able to address it behind the scenes.
Companies might think that they’re being ‘smart’ punishing those that point out vulnerabilities like this, but all they’re doing is ensuring that people will no longer want to help them, tanking their reputations for anyone familiar with their actions(if a company’s first response to someone pointing out a problem is to shoot the messenger that says a lot about how much they actually care about security versus profits), and making it so that when they learn about future vulnerabilities it’s much more likely to occur after it’s cost them dearly and they learned about it the hard way.
Can't fix stupid
Ultimately the problem is human stupidity.
This security flaw is so simple, so obvious, that no competent developer would have ever done it that way in the first place.
The problem is that nobody at Kids Pass had enough brains. So it’s not surprising that when confronted with a problem their instinct is to hide it and bury their head in the sand.
You just can’t fix stupid. You can only try to avoid it.
Re: Can't fix stupid
This is what happens when the people who come up with the idea, who don’t have any real development experience, decide to implement it themselves, or get someone from fiver, rather than hire actual experienced developers.
How hard can it be? they think. There are heaps of templates out there on the hosting services that do this stuff, let’s use one of those, follow the bouncing ball to create a website. And since I’m already being cheap, I’ll choose the cheapest, simplest template to use – hey, that one’ll do, it was last updated 15 years ago, it’s even free, must be good since it hasn’t needed any updates! It doesn’t matter that I’ve got no idea what it’s actually doing behind the scenes, how it works.
"some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!
This is yet another instance where pro-corporatist Techdirt is simply not consistent. When want corporations to be beyond control, Techdirt holds (though never explicitly says) that they’re Persons with Rights, but when complaining about what’s done with those alleged Rights, they’re slammed as if subject to the Public.
If Twitter mistakenly blocking Ken White was within a corporation’s “right”, then so is this corporation within “rights” in blocking a user for any reason, wrongly, or none, and the user has no recourse but to leave.
Mitt Romney made the mistake of publicly calling corporations “persons”, and the public LOUDLY refuted him. Techdirt SNEAKS in the notion at times, or as here, blithely takes the side of the public which views corporations as only PERMITTED to be SERVANTS.
So which is it, kids? You can’t have it all ways at once. Not while Ellen Abaskit is here.
Oh, and by the way: corporations do NOT feel! They are legal fictions, simply dodges to gather money without responsibility, and have no frailties of physical persons.
Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!
Nowhere in the article did anyone say the company shouldn’t have the right to block people on twitter. The entire thrust of the article was that blocking folks who are trying to help you by pointing out security flaws is stupid. You’ve missed the whole point of the article. This may help you make sense of it:
TL;DR
Companies are ignoring or blocking security researchers who tell them about vulnerabilities. They are perfectly free to do so, but it’s a stupid move on the part of the companies that do.
Hope that helps.
Re: Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!
Won’t help, he has some sort of mental handicap. Poor thing.
Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!
lolwut?
Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!
Wow, you sure do waste a lot of time twisting reality and going off in any direction you can just to be a troll.
Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!
Oh scooter you SovCits are a hoot. Try not to blow your own bollocks off stroking your many, many guns.
Seriously, companies that do such thing probably have other flaws so I think I’d go gray hat if I was a security researcher and cause real financial/reputation damage by releasing the kraken.. Er, the security flaws anonymously in the wild. Nothing like some serious damage to make companies take things more seriously.
And for fucks sake, they blocked Troy Hunt. Any 2 seconds Google search would show them the guy is both a professional and a very respected one. If you can’t bother to listen to goddamn reputable professionals then just shut down your operations.
Take a look at the development chain
So what kind of website developer thinks it’s a good idea to be able to change the URL and display someone else’s data without any kind of verification? How about at least comparing the URL to a cookie to see if the logged-on user has access to that account.
Then what about the testing/ QA department who didn’t think to run this kind of test?
Then what about the department manager who didn’t think to tell the testers if they ran this test or ask the developer to write secure code?
How did this company even make it to the stage of releasing production-ready code, which I assume is available in the usual app stores?
Re: Take a look at the development chain
“Then what about the testing/ QA department who didn’t think to run this kind of test?”
I’m a tester and an developer and you often see people who aren’t either of these asking this. They probably DID test it and found it. Chances are the better question to ask is why did management not listen to the testers/developers and decide to release it with that defect anyway.
Re: Re: Take a look at the development chain
That requires management who understand that their job is primarily to ensure that the workers have what they need to do their job, along with routing messages up and down the chain of command so that they reach a worker who can solve them. However these days, too many managers think that they should make all the decisions, and that meeting their targets, like release dates, are more important than things like the software working properly.
Maybe the researchers should take the initiative and sue the company first, claiming that it put their information at risk. Or if the country has any laws about data protection, report them.