Security vulnerability disclosures

I'm preparing a series of posts where I'm disclosing several security vulnerabilities that I discovered the spring and summer of 2017.

Published: Wed, August 9, 2017, 23:00
Background article

tl;dr 🔗

Over the years I've discovered so many security holes and information leaks on the Internet. Earlier I've only notified the involved parties, but I think it's time to go public doing "responsible disclosure".

The purpose 🔗

Working with preparing these posts I've asked myself repeatedly if I should go public with my findings or not.

I'm still not entirely sure what the right answer is. What I do know is that I want increased focus on web security and that I feel a social responsibility to do so.

The purpose of posting these vulnerabilities is fivefold:

  • Make people aware that close to all their personal information is already in the hands of anyone who wants it.
  • I want computer security to be a (bigger) part of the IT education and training.
  • I want computer security to be a natural part of any developer's mindset.
  • I want businesses to know that there might be consequences of being sloppy with people's data.
  • Make your and my own data more safe.

Hopefully the issues presented on this site can be a small part of getting some kind of discussion on how to deal with computer security and personal data.

What I have done 🔗

While looking for security vulnerabilities I have followed a few simple rules.

What I have done: 🔗
  • Only looked at webapps (frontends and APIs) and mobile apps
  • Only looked at Norwegian services (though some are internationally available)
  • Immediately reported any security concerns and given reasonably time to fix any problems
  • Only spent minutes until I found some security hole or information leak
What I have not done: 🔗
  • Not hid my identity:
    • I have worked from my home IP
    • When logged in I have used my own personal account
    • I have not tried to fly under the radar in regards of staying out of logs etc.
  • Not looked for or used security holes in operating systems, app servers, networking equipment, etc.
  • Not interfered with the operation of the web apps or companies
  • Not altered or deleted any data
  • Not stored any personal data or even tried accessing anything beyond proving the weakness

Information sensitivity 🔗

The levels of the sensitivity in the information leaks I found vary. They go all the way from "Nah, I don't really care" to "0hly shit, this is not cool". But I think they all represent some unique points in respect of vulnerabilities and in respect of type of personal information.

Responsible disclosure 🔗

I'm all for responsible disclosure and have immediately reported my findings. Generally I'm not publishing any details the problem has been confirmed fixed. However, sadly, in some cases there's just no interest or response from the other party.

If you want more thoughts about responsible disclosure I would recommend reading Troy Hunt's site (and maybe especially the video in that link).

Get notified when there are new posts! :-)