Tuesday, July 9, 2013

Example - Reporting a security vulnerability when there is no clear security contact

Today I wanted to report an authentication bypass vulnerability in a router to it's vendor,
I went online to the company web site and looked for any contact info, the only thing I found was a "live chat" option, at this point I stopped and thought to myself "Why the hell not"

Just to clarify, the support person I was chatting with did his very best to do his job, and I tried to be polite, I have the outmost respect for the individuals working in support centers and would never intend to insult or demean them in any way.

Here is the result of this interesting experiment:

Support Tue, 7/9/2013 08:38:44 pm
Thank you for choosing ***********. How may I help you today?

Me Tue, 7/9/2013 08:39:32 pm
Please provide me with an email address of a security team representative to which I can rely the details of a security vulnerability I have discovered in the ****

Support Tue, 7/9/2013 08:41:20 pm
As I understand, you are asking for the security team representative so that you can address your concern reagrding the **** router?

Me Tue, 7/9/2013 08:41:48 pm
almost, I want to report a possibly new security vulnerability in the **** Router

Support Tue, 7/9/2013 08:42:12 pm
May I ask, what do you mean about security vulnerability?

Me Tue, 7/9/2013 08:42:48 pm
you know when you put in 192.168.1.1 and the router asks you for a username and password before you can view all the options in it?
I found a way to get in the router menu's without authenticating via username and password
and I would like to report it to the relevant contact in your comapny at ***********

Support Tue, 7/9/2013 08:44:46 pm
I see. When you accessed the page with no authentication required, is that your first time to access the setup page then?

Me Tue, 7/9/2013 08:46:44 pm
no,after performing a few specific actions i have access to the setup pages. without those certain actions i would not have access at all

Support Tue, 7/9/2013 08:47:10 pm
What browser did you use to access the ********** setup page?

Me Tue, 7/9/2013 08:47:17 pm
chrome

Support Tue, 7/9/2013 08:48:10 pm
I see. I believe the security password has been saved on the Chrome's settings that is why it dis not ask for a password the next time you access the setup page.

Me Tue, 7/9/2013 08:49:01 pm
i have never set it to save, nor have I ever authenticated to the router, every time I have tried to access the router IP i was prompted for authentication but i never did.

Support Tue, 7/9/2013 08:49:35 pm
Can you try to access the setup page using another computer?

Me Tue, 7/9/2013 08:50:40 pm
yes, I did that. do you have an **** test device online at the moment that I can reach?

Support Tue, 7/9/2013 08:51:11 pm
I do apologize but we do not have that support.

Me Tue, 7/9/2013 08:52:22 pm
what do you suggest?
I do not want support, I want to report a security vulnerability

Support Tue, 7/9/2013 08:53:10 pm
May I ask, when you try to use another computer, did it ask for authentication when you access the ********** setup page?

Me Tue, 7/9/2013 08:53:34 pm
yes it did
do you have 2nd level support?

Support Tue, 7/9/2013 08:54:05 pm
Did it ask authentication again the next time you accessed it?

Me Tue, 7/9/2013 08:54:33 pm
it allways asked me for authentication, until i bypassed ti with this vulnerability

Support Tue, 7/9/2013 08:55:49 pm
I see. This is actually an isolated case since this is our first time to know this concern.

Me Tue, 7/9/2013 08:56:23 pm
I know, I dont expect you to solve this for me, just start escalating me

Support Tue, 7/9/2013 08:56:42 pm
Let me forward your concern to our management so that they can check and verify your concern.

Me Tue, 7/9/2013 08:56:54 pm
thank you!

Support Tue, 7/9/2013 08:57:12 pm
But as of the moment, we cannot provide the precise solution for your concern.

Me Tue, 7/9/2013 08:57:40 pm
I know, I dont want a solution for it right now, I want to help you guys understand it and fix it

Support Tue, 7/9/2013 08:58:33 pm
We highly acknowledged your side.
May I ask your full name so that I can log this session?

Me Tue, 7/9/2013 08:58:57 pm
thank you I guess
use my email: *********@*****.***

Support Tue, 7/9/2013 08:59:32 pm
Do you have phone number for us to reach you?

Me Tue, 7/9/2013 09:00:38 pm
Let's start with email first, after that we can exchange phone numbers, I tend not to give out personal information on the "first date"

Support Tue, 7/9/2013 09:01:07 pm
I understand.

Me Tue, 7/9/2013 09:01:53 pm
awesome :) so I will expect someone to contact me at my email. thanks for your help ****

Support Tue, 7/9/2013 09:02:23 pm
You are most welcome! Is there anything else that I can assist you with today?

Me Tue, 7/9/2013 09:02:35 pm
nope, that was it :)

Support Tue, 7/9/2013 09:02:45 pm
Alright then. Remember that you are always a valued customer with ***********. Once again, thank you for choosing ***********. Have a wonderful day!

2 comments:

  1. it looks like an automated machine and not a person. i bet someone will contact you regarding "a lost password" and will try to help you reset it... hahahaha

    ReplyDelete
  2. For new web based business new companies, this procedure can be costly and speaks to a critical exchange cost. weneedprivacy

    ReplyDelete