Company Storing Families' Personal Data Blocks Users/Researchers Informing It Of A Security Flaw

from the blockchain,-but-for-ignoring-your-problems dept

It must be repeated over and over: people who discover security flaws and report them are not the enemy. And yet, company after company after company treat security researchers and concerned users like criminals, threatening them with lawsuits and arrests rather than thanking them for bringing the issue to their attention.

Kids Pass -- a UK company providing discounts for families attending restaurants, theaters, and amusement parks -- had a problem. Any user could access any other user's personal information just by altering numbers linked to user IDs in the URL. A concerned user told security researcher Troy Hunt about the flaw. (via Boing Boing)

[J]ust this weekend I had a Twitter follower reach out via DM looking for advice on how to proceed with a risk he'd discovered when signing up to Kids Pass in the UK, a service designed to give families discounts in various locations across the country. What he'd found was the simplest of issues and one which is very well known - insecure direct object references. In fact, that link shows it's number 4 in the top 10 web application security risks and it's so high because it's easy to detect and easy to exploit. How easy? Well, can you count? Good, you can hack! Because that's all it amounted to, simply changing a short number in the URL.

Here's the example the user passed on to Hunt:

Hunt told the user to stop doing anything -- including accessing other users' information -- and immediately inform the company. The user did as instructed, contacting the company via Twitter direct message. Shortly thereafter, the user informed Hunt Kids Pass had blocked him on Twitter.

Hunt then made an attempt to speak to someone at Kids Pass… only to find out he had been blocked as well, most likely for having the gall to retweet the concerned user's message about the security flaw.

The responsible, ethical approach -- notifying a company of a security flaw as soon as possible -- was being treated like some sort of trollish attack on Kids Pass' Twitter account. From all appearances, the company simply wanted everyone to shut up about the flaw, rather than address the concerns raised by userw.

It was only after Hunt asked his followers to contact the company on his behalf that Kids Pass finally unblocked him and told everyone the "IT department was looking at it."

The belated reaction doesn't make up for the initial reaction. And Kids Pass has shown it has little interest in addressing security flaws until the problem becomes too public to ignore. Hunt points to a blog post by another security researcher who informed Kids Pass last December about its insecure system -- including the fact it sent forgotten passwords in plaintext via email to users. He heard nothing back, finally publishing his discoveries in July.

If you want people to be good web citizens and report breaches and flaws, you can't treat them like irritants or criminals when they do. Securing users' personal info is extremely important, but some companies seem to feel they should be able to handle it however they want and mute/sue/arrest those who point out how badly-flawed their systems are.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 9 Aug 2017 @ 3:21am

    The problem is companies see no point in creating an easy way for researchers to inform them.
    Becki who runs social media, thought it was just someone trolling & blocked & blocked & blocked until someone higher up the food chain noticed.

    If I was running a company, I would reach out to the top researchers & provide them with special email address that set off every screaming alarm in the the place.

    I think part of the problem is the MBA thought of it will cost us X to fix or Y to provide credit monitoring. Y is less than X, so why bother to fix? There are very few laws on the books that actually punish companies who were informed & ignored the problem until the worst happened. The company buys a bulk monitoring contract, rebrands, sweeps the error out of sight & moves on.

    You'd think consumers would avoid companies with bad track records, and then you see how many users Sony still has after all of the times they were hacked & screwed consumers with their bad practices.

    Consumers need to care more, the law needs to remind companies this is their duty not just a mop up after the fact.

    reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 9 Aug 2017 @ 4:53am

      Re:

      Criminal laws, no. But irresponsible handling of confidential data creates enormous civil liability.

      Given how the UK has completely lost their collective minds over even the faintest hint of pedophilia, you'd think that companies would do everything in their power to avoid a headline of "CompanyNameHere makes it easy for pedophiles to get at your kids!"

      reply to this | link to this | view in chronology ]

      • icon
        That Anonymous Coward (profile), 9 Aug 2017 @ 4:32pm

        Re: Re:

        Sony was hacked 23 times, customer data exposed quite often... they paid no fines, denied the hacks (as the hacks were still happening), and did very little to correct the problems.

        If they had been slapped with a fine as well as being forced to provide credit monitoring it might have motivated them to actually secure their systems globally.

        reply to this | link to this | view in chronology ]

    • identicon
      michael, 9 Aug 2017 @ 11:05am

      Re:

      "If I was [sic] running a company, I would reach out to the top researchers & provide them with special email address that set off every screaming alarm in the the place."

      That's ridiculous, since the vast majority of flaws aren't found by "top researchers." (And who are all these mysterious "top researchers" anyway? Do you need to know the secret "top researcher" handshake to join that club?)

      How 'bout you just use basic customer service skills and, if someone tells you they found a flaw, you investigate it?

      reply to this | link to this | view in chronology ]

      • identicon
        Rekrul, 9 Aug 2017 @ 3:47pm

        Re: Re:

        Companies don't want to hear about flaws in their service, security related or otherwise. I've reported verifiable problems to web sites and not only do I never hear back from them, they never fix the problems either.

        Speaking of laughable web security, many years ago, before "hacking" became such a big deal, I discovered that the members section of one adult web site was completely accessible to anyone who knew the URL. Their preview images linked to files in the members section and if you just erased the filename from the URL, you got a raw directory listing that you could browse. Click on the HTML files and you had access to the paid section of the site. Apparently they relied on security through obscurity where the directories weren't protected, but you only got the URL for them after you signed in. If you knew the URL already you could just bypass the login page.

        I never told them though. It was a small site with not much content, that stopped updating after a while and then eventually just disappeared.

        Even today, you can sometimes access additional preview images by altering the numbers on the filenames. There's one celeb blog that posts daily photos, but only the ones from the last couple of months are linked to full-sized versions. However by comparing the URLs for the thumbnail and the full-sized photos, I discovered that you can get the large versions of all the past photos just by changing one word in the URLs.

        Even with these flaws, I'd wager that the sites are safe from 99% of the users today, since manually altering an URL is akin to brain surgery for most people. Most users don't have the faintest clue what the parts of an URL mean. In fact, even though they probably type in URLs occasionally, I'd be surprised if it even dawns on them that they can manually edit an URL that's placed in the address box automatically when they click on a link. Most people don't even know the difference between the address box and the search box. "I typed it exactly like you said and when I hit Enter, I get a bunch of stuff on the screen. The top one says SPONSORED RESULT, is that the one you want me to click on?"

        reply to this | link to this | view in chronology ]

      • icon
        That Anonymous Coward (profile), 9 Aug 2017 @ 4:28pm

        Re: Re:

        Actually I interact with a few of them.

        Oh look at the story... random researcher tried, got slapped away, reached out to Troy Hunt... that would be someone I'd give that email too. And Krebs & SwiftonSecurity

        The problem is Becki who runs the social media has no business trying to understand the problem & deciding if it should go up the tree. Longtime TD readers will remember the social media runner for a company who demanded someone reporting an issue detail the hack & how it works on twitter in the open.

        I want my social media team to be just that with the style & quick wit of the wendys team... I don't need them to also have white hat certification.

        reply to this | link to this | view in chronology ]

        • icon
          Eldakka (profile), 9 Aug 2017 @ 5:19pm

          Re: Re: Re:

          The problem is Becki who runs the social media has no business trying to understand the problem & deciding if it should go up the tree.

          The whole point of having senior co-workers, supervisors, managers, bosses is to have someone to pass a problem on to that you don't understand. You don't need to decide to pass it on. If Becki doesn't understand or have doubts, she should do it without thinking.

          It doesn't take much training to say "if you get a complaint/incident that has any of the words security, hack, accessing other users information, privacy concerns, holes, I can do something I don't think I should be able to or other similar terms, you escalate it." You don't need to understand it if you are low-level customer service, just pass it on to someone more senior for them to assess it. Customer service deals with and handles routine queries and issues - forgotten password, how do i do ..., what benefits does this option give me, how much discount do i get, and so on. Anything outside that should be passed up the tree, because that's what a tree (or pyramid) structure is for.

          reply to this | link to this | view in chronology ]

  • identicon
    spodula, 9 Aug 2017 @ 3:57am

    Kidspass

    Written by 10 year olds for 10 year olds...

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 9 Aug 2017 @ 4:58am

    A whisper to the front or a knife in the back

    As always if companies are dead-set in punishing those that are trying to help them they're not actually making their products/services more secure, they're just ensuring that the security vulnerabilities that they would have been informed of are found by those that aren't so altruistic.

    A reputation of attacking those that try to help in a quiet and open manner also opens up the possibility of someone running across a significant vulnerability and deciding that they'll anonymously make it public in general, leaving the company scrambling to deal with the issues that brings rather than being able to address it behind the scenes.

    Companies might think that they're being 'smart' punishing those that point out vulnerabilities like this, but all they're doing is ensuring that people will no longer want to help them, tanking their reputations for anyone familiar with their actions(if a company's first response to someone pointing out a problem is to shoot the messenger that says a lot about how much they actually care about security versus profits), and making it so that when they learn about future vulnerabilities it's much more likely to occur after it's cost them dearly and they learned about it the hard way.

    reply to this | link to this | view in chronology ]

  • icon
    OldMugwump (profile), 9 Aug 2017 @ 6:29am

    Can't fix stupid

    Ultimately the problem is human stupidity.

    This security flaw is so simple, so obvious, that no competent developer would have ever done it that way in the first place.

    The problem is that nobody at Kids Pass had enough brains. So it's not surprising that when confronted with a problem their instinct is to hide it and bury their head in the sand.

    You just can't fix stupid. You can only try to avoid it.

    reply to this | link to this | view in chronology ]

    • icon
      Eldakka (profile), 9 Aug 2017 @ 5:32pm

      Re: Can't fix stupid

      This security flaw is so simple, so obvious, that no competent developer would have ever done it that way in the first place.

      This is what happens when the people who come up with the idea, who don't have any real development experience, decide to implement it themselves, or get someone from fiver, rather than hire actual experienced developers.

      How hard can it be? they think. There are heaps of templates out there on the hosting services that do this stuff, let's use one of those, follow the bouncing ball to create a website. And since I'm already being cheap, I'll choose the cheapest, simplest template to use - hey, that one'll do, it was last updated 15 years ago, it's even free, must be good since it hasn't needed any updates! It doesn't matter that I've got no idea what it's actually doing behind the scenes, how it works.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 9 Aug 2017 @ 6:31am

    "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!

    This is yet another instance where pro-corporatist Techdirt is simply not consistent. When want corporations to be beyond control, Techdirt holds (though never explicitly says) that they're Persons with Rights, but when complaining about what's done with those alleged Rights, they're slammed as if subject to the Public.

    If Twitter mistakenly blocking Ken White was within a corporation's "right", then so is this corporation within "rights" in blocking a user for any reason, wrongly, or none, and the user has no recourse but to leave.

    Mitt Romney made the mistake of publicly calling corporations "persons", and the public LOUDLY refuted him. Techdirt SNEAKS in the notion at times, or as here, blithely takes the side of the public which views corporations as only PERMITTED to be SERVANTS.

    So which is it, kids? You can't have it all ways at once. Not while Ellen Abaskit is here.

    Oh, and by the way: corporations do NOT feel! They are legal fictions, simply dodges to gather money without responsibility, and have no frailties of physical persons.

    reply to this | link to this | view in chronology ]

    • icon
      katsai (profile), 9 Aug 2017 @ 6:44am

      Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!

      Nowhere in the article did anyone say the company shouldn't have the right to block people on twitter. The entire thrust of the article was that blocking folks who are trying to help you by pointing out security flaws is stupid. You've missed the whole point of the article. This may help you make sense of it:

      TL;DR
      Companies are ignoring or blocking security researchers who tell them about vulnerabilities. They are perfectly free to do so, but it's a stupid move on the part of the companies that do.

      Hope that helps.

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 9 Aug 2017 @ 7:52am

        Re: Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!

        Won't help, he has some sort of mental handicap. Poor thing.

        reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 9 Aug 2017 @ 7:01am

      Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!

      lolwut?

      reply to this | link to this | view in chronology ]

    • icon
      Mononymous Tim (profile), 9 Aug 2017 @ 9:36am

      Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!

      Wow, you sure do waste a lot of time twisting reality and going off in any direction you can just to be a troll.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Aug 2017 @ 1:03pm

      Re: "some companies seem to feel they should be able to handle it however they want" -- Wait a sec! They're PRIVATE and CAN according to Poophat Ken White!

      Oh scooter you SovCits are a hoot. Try not to blow your own bollocks off stroking your many, many guns.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 9 Aug 2017 @ 7:51am

    Seriously, companies that do such thing probably have other flaws so I think I'd go gray hat if I was a security researcher and cause real financial/reputation damage by releasing the kraken.. Er, the security flaws anonymously in the wild. Nothing like some serious damage to make companies take things more seriously.

    And for fucks sake, they blocked Troy Hunt. Any 2 seconds Google search would show them the guy is both a professional and a very respected one. If you can't bother to listen to goddamn reputable professionals then just shut down your operations.

    reply to this | link to this | view in chronology ]

  • icon
    John85851 (profile), 9 Aug 2017 @ 9:40am

    Take a look at the development chain

    So what kind of website developer thinks it's a good idea to be able to change the URL and display someone else's data without any kind of verification? How about at least comparing the URL to a cookie to see if the logged-on user has access to that account.

    Then what about the testing/ QA department who didn't think to run this kind of test?

    Then what about the department manager who didn't think to tell the testers if they ran this test or ask the developer to write secure code?

    How did this company even make it to the stage of releasing production-ready code, which I assume is available in the usual app stores?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous, 9 Aug 2017 @ 3:34pm

      Re: Take a look at the development chain

      "Then what about the testing/ QA department who didn't think to run this kind of test?"

      I'm a tester and an developer and you often see people who aren't either of these asking this. They probably DID test it and found it. Chances are the better question to ask is why did management not listen to the testers/developers and decide to release it with that defect anyway.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Aug 2017 @ 11:05pm

        Re: Re: Take a look at the development chain

        Chances are the better question to ask is why did management not listen to the testers/developers and decide to release it with that defect anyway.

        That requires management who understand that their job is primarily to ensure that the workers have what they need to do their job, along with routing messages up and down the chain of command so that they reach a worker who can solve them. However these days, too many managers think that they should make all the decisions, and that meeting their targets, like release dates, are more important than things like the software working properly.

        reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 9 Aug 2017 @ 3:49pm

    Maybe the researchers should take the initiative and sue the company first, claiming that it put their information at risk. Or if the country has any laws about data protection, report them.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.