21

A company I used to work for developed a Point Of Sale system that also has an eCommerce portion. While working there, I discovered massive flaws with their security model.

Simply put, there is 0 server side validation. Any user, logged in or not, can do things like edit prices, fake transactions, mess with time sheets, etc all from the comfort of their home.

I reported this several times verbally, but it was mostly ignored as not a priority.

They have since expanded their clientele, and now serve quite a few clients. I have verified that the exploits still work just as they did several years ago.

I have no interest in saving face for this company, they treated me and many others very poorly and abusively, forcing overtime without pay and similar transgressions.

What is the best way to report this security issue? Do I send an email to their clients? Or should I publicly disclose the attack and let the internet handle it?

edit: I would like to add that the exploits are not complicated or obscure, anyone who opens devtools in their browser would be able to figure out that they can just edit the data on the fly

edit 2: After reading all of these responses, I will be sending the company an anonymous email with a POC. I will also be giving them a 60 day period to address the issue before I report it to their customers

ItsNotMe
  • 321
  • 2
  • 6
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/86371/discussion-on-question-by-itsnotme-my-old-job-has-massive-security-exploits-in-t). – Rory Alsop Nov 29 '18 at 10:16

4 Answers4

22

A quick word of caution

You sound very invested in trying to do something. If I can be frank, it sounds like you are at least partially motivated by your frustrations with the way the company treated you as an employee. This can be understandable, but doesn't necessarily lead to good decisions. In particular one option you mention (contacting customers and informing them of the issues) is the sort of thing that, rightly or not, and regardless of how it might end, can result in lawsuits filed against you by your former employer. So tread lightly. All things considered that is probably a very bad idea.

Understanding the (flawed) business perspective

Unfortunately the situation you describe is not uncommon in the software industry. From the perspective of many companies, bring up security issues is asking them to spend real money (in terms of developer salaries) to fix a problem that they cannot see for a benefit that may not be needed for a long time (it may in fact be a while before someone tries to hack them). It's a hidden benefit with an upfront cost, and that is something that short-sighted thinking can easily ignore for a long time. After all, from their perspective, the things you are making a big deal about have never actually caused problems but will definitely take a lot of time and effort to fix, so why should they fix it? (I'm not saying they are right, I'm just explaining the thought process).

It's important to understand that this is obviously the approach that your ex-employer is taking. You have informed them of the issue and they have decided to ignore it. There is no reason to think that any (legal) action you can take as an outsider is going to change that, especially since you failed to make any changes as an insider. Of course we know that with bad security practices, someone finding and exploiting a weakness is inevitable, especially if they start to see any real kinds of success (i.e. having a large customer base). As long as none of their customers take the time to delve into potential security concerns proactively (and most don't, because they don't know enough to look properly even if they do care), situations like this can go on for a surprisingly long time before it causes real problems. In the worst-case scenario this leads to situations like the equifax security breach. For smaller companies this can result in complete bankruptcy.

Reality

So what do you do about it? If management knows about the problem but refuses to change, there probably isn't anything you can do to force them to change. You can try things you mentioned like reporting this to their customers, but their customers may not take you seriously. For all they know you are simply a disgruntled ex-employee trying to cause trouble for your previous employer. If they didn't know enough to look into these things before starting to use the platform, then there is no reason to think they know enough to take your claims seriously now. More likely than not you'll just end up being ignored or sued.

(per @forest's answer) You certainly should submit a CVE. You could also try submitting bugs through a third-party bug bounty program. There are some that have popped up in recent years and exist to try to act as a neutral arbiter between "independent security researchers" (aka you) and sites that otherwise don't have bug reporting programs (aka your former employer). Of course such programs work only if the company you are reporting bugs to actually listen. You already know that your former employer won't. However, having published and ignored vulnerabilities through standard channels will help their customers in the long run when they do get hacked. This will change the situation from simple incompetence to outright negligence, which comes with much stiffer financial penalties in civil court (FYI: IANAL).

Any further (legal) options will vary depending on your jurisdiction, aka in Europe you may find some venues for legal action through the GDPR. In many places though you probably don't have any options that can immediately bring legal trouble to them. Most likely that won't happen until they get hacked and their customers sue. Having a published CVE will help their customers when that happens. In the meantime, it sounds like you are thinking about posting something publicly "on the internet". What would be your goal there? Realistically, your attempts to do that will probably just be ignored by the internet. It's possible however that they may end up hacked much sooner as a result though. Without going through more standard channels though, you probably dramatically increase your own risk of legal repercussions. Therefore, I would personally keep to official channels.

Again, I may be misreading you, but I think your question is largely coming from the place of someone who is angry at a past-employer and is, to some extent, looking to cause trouble. That's a good way to get yourself in legal trouble or at least give yourself a bad name when trying to find jobs in the future. I think you should try to stop looking at this from the perspective of an ex-employee and focus more on the perspective of a neutral-security-researcher.

Community
  • 1
Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
  • 4
    Does looking at stuff from the customers' POV change anything? Can it be argued that the customers have the right to know their data and (likely) other assets are in jeopardy? – gaazkam Nov 27 '18 at 22:34
  • @gaazkam I think that is very relevant information for them to know, and I would certainly want to know such things myself. However, especially in cases like this, I don't think the OP directly contacting customers will necessarily accomplish those goals, for the simple fact that the OP may not be taken seriously. Finding and publishing exploit information is still in a bit of a "grey" area, and regardless whether or not a lawsuit against (e.g.) the OP would succeed, I'd still much rather not risk one. – Conor Mancone Nov 27 '18 at 23:08
  • @gaazkam There are enough companies out there that do such a terrible job of security, entirely at the expense of their customers, that I very much wish there was some better avenue for resolving issues like this. Unfortunately in the US there isn't, nor is there likely to be (I certainly wouldn't want it handled by another 3 letter organization). Without a doubt, the situation sucks, especially because it is common. – Conor Mancone Nov 27 '18 at 23:10
  • 4
    -1 **This answer seems very naïve** and is ignoring the industry standard solution, which is to report it to MITRE and get a CVE assigned. Please see https://cve.mitre.org/cve/request_id.html for how to do this. – forest Nov 28 '18 at 07:36
  • 5
    Also this answer ignores that the sheer magnitude of this exploit actually means the company is **defrauding** its customers. All it takes is one black-hat to discover it and the clients can even be bankrupted. – vsz Nov 28 '18 at 07:42
  • @vsz fraud is a legal term. There isn't any fraud going on here (unless they are promising top-notch security while actually providing none). I was quite clear that the repercussions for ignoring things like this can be quite serious (I even specifically mentioned bankruptcy). However, when the company has been repeatedly warned (it has) and completely dismisses the security concerns (which it did), then the reality is that there probably won't be anything that changes their mind until the whole thing blows up in their faces. – Conor Mancone Nov 28 '18 at 13:31
  • @ConorMancone The problem is that it will blow up not just in the face of the company, but the customers. The fraud comes from the implicit promise to handle financial data securely and knowingly not doing so. Also note that fraud laws differ depending on jurisdiction. Anyway, I've removed my downvote since you've mentioned the CVE process, but I still think you should be more explicit that it is a solution even if the company never shows interest in protecting their customers. – forest Nov 28 '18 at 13:39
8

Request a CVE!

If you care at all about preventing potentially massive breaches, then you absolutely need to disclose the issue one way or another. If you cannot get this done by contacting the developers of the vulnerable application, you should request a CVE assignment for the issue. MITRE will deal with the rest.

Community
  • 1
forest
  • 65,613
  • 20
  • 208
  • 262
3

I just realized that you said your "old job". My answer below still stands, but depends on if you still have contacts to responsible parties within the company.

If you reported the issue verbally and it was ignored, try reporting the issue in writing, possibly escalating the issue and copying people higher up the chain. You may have to speak management-speak, providing risks, costs, and benefits to the security fixes. Explain why this should be a priority over other items. Offer to give a demonstration to management to show just how easy the exploits are and point out that as soon as someone finds it, the company's reputation is heavily damaged.

Perhaps you can find a way to sell the idea of your company hiring a security auditor to find vulnerabilities. Where your management might respond to your security concerns as "Oh, Bob is freaking out about nothing again," they may take an auditor more seriously. In some jurisdictions, I'm sure there are legal requirements that a company must meet to handle personal data, you might be able to sell management on the idea if you tell them that you're not sure that you're in compliance and an audit needs to be done before a customer sues. Obligatory "I am not a lawyer".

If that doesn't work, I can't say that I recommend emailing clients or publicly disclosing the vulnerabilities unless you talk to a lawyer first and the lawyer tells you that you're in the clear. A company like you're describing would likely not see the situation as "Oh, now we have to fix this" but rather "A disgruntled employee is trying to destroy our business, we need to fight back."

Things that you can do from outside of the company:

After reading that you no longer work at this company, I had another idea: it may be possible to anonymously pose as an interested buyer of your company's product and ask questions indicating that you are very interested in making sure your data is safe. Ask if they do security audits, if they have any security certifications, what regulations they follow, things like that. Hopefully, someone in marketing won't just make up generic answers and will inquire with a developer or someone who is in charge of something. Maybe "losing a sale" due to their shady security practices will push the priority higher for them.

Tophandour
  • 164
  • 1
  • 7
  • The people I reported to were the lead developers and CEO of the company. While I didnt give a demonstration, I believe they fully understood what I was telling them – ItsNotMe Nov 27 '18 at 20:08
  • Last segment of your answer is interesting because if I wanted to generate an outcome I would be quite fond of the idea of posing anonymously as a potential client and making subtle and revealing inquiries into their security. – PCARR Nov 27 '18 at 21:08
  • 1
    @ItsNotMe While I understand your frustration, this is quite a thin and potentially dangerous line. Looking at the civil service, so military law. Three people come to mind (William McNeilly, William Binney and Edward Snowden) which became classified as whistleblowers, all went through the normal procedures for reporting concerns initially and were disregarded, like you. It might be worthwhile considering and learning from these individuals about how to best handle this situation, and acknowledge your exposure about doing the 'right' thing, consider how it will affect your coworkers as well. – safesploit Nov 27 '18 at 21:23
  • @safesploit Whistleblowing involves leaking classified or confidential information that one finds out due to being in a trusted and privileged position (signing an NDA, having security clearance, etc.). Reporting a vulnerability, on the other hand, involves releasing details that were independently discovered by you. I think the comparison between whistleblowing and full disclosure constitutes a false analogy. – forest Nov 28 '18 at 08:26
0

Since you do not disclose a location, I suggest to contact law enforcement, as the company may be in violation of several laws - especially so since they operate with financial transactions. Usually the law enforcement branch you contacted will then inform you who you actually should contact instead, which may be a different branch of law enforcement, a consumer protection organization, or no one at all.

Disclosing the security issue to the public or their clients, or threatening to do so - with your background that of a disgruntled employee - is another way to involve law enforcement. One you want to avoid.

Peter
  • 3,620
  • 3
  • 14
  • 24