Full Disclosure mailing list archives
Just Don't Use or Trust Bullhorn
From: Scott Arciszewski <kobrasrealm () gmail com>
Date: Mon, 7 Sep 2015 16:05:04 -0400
Story time, FD. Hopefully I can save someone else from having to deal with the frustration of dealing with Bullhorn. March 3, 2014 - I observed that SendOuts (owned by Bullhorn) didn't use HTTPS even though it was available, nor HSTS once someone explicitly accessed the https://webconnect3.sendouts.com URL. When I went to notify them on their support forums, I noticed they were running an ancient version of phpBB. A version known to be vulnerable to https://www.exploit-db.com/exploits/16890/ (although I did not attempt to exploit it, because that would be reckless and stupid). October 23, 2014 - After months without hearing a word in response, I decide to ping them again. This actually got the attention of their director of support. November 4, 2014 - After more silence, I send an email asking "Am I clear to make a post my findings on the Full Disclosure mailing list without fear of retributive criminal charges?" Immediately, I get an email from "Andrew Smith | Director, Technical Operations & Security". The conversation goes like this: Andrew:
I was hoping to connect with you on having your concerns addressed, C**** mentioned that these issues are currently scheduled to be fixed, what else can we do to help to resolve any of these matters.
Me:
No additional concerns; I was wondering when it would be safe to publicly disclose the concerns I sent to C**** in March. Namely: * Lack of HSTS and/or HTTP->HTTPS rewriting (ever heard of sslstrip?) * Outdated phpBB as demonstrated here: http://supportforums.bullhorn.com/docs/ which has this vulnerability: http://www.exploit-db.com/exploits/16890/
Andrew:
I would like to understand your goals in doing that? Security is a major concern for us, but as you know, one that is a constant fight to keep current, for any software provider, with exploits and issues as they arise. As issues arise, they are prioritized, fixed and deployed. These issues have been prioritized and will be deployed as soon as is possible. I don't understand your motivation for publicly posting these issues, are you working with any of our clients at present?
And then I explained the history of full disclosure as it relates to the security industry (really boring), and he said this:
Thanks for the details, Scott. Yes, we of course use industry standard processes for accepting, resolving and notifying all of our clients of bugs, both application and security. The worry I have is that, this information is delivered by us, the provider, with full explanations of the issues, to the clients themselves via bug and issue tracking systems, not via public forums. Our public forums are a place where our developers and users can gain information for using and extending our application, to post bug and security fixes there would be misusing the goals of that system. Thank you for letting us know about the issues and we appreciate your concern.
Finally, they agreed that fixing it is a priority and that Andrew Smith would let me know when it's fixed so that I could go public without fear of causing any damage to Bullhorn or its customers. Epilogue: They updated their phpBB on November 26, 2014, but never said a word. Liars. The lessons here? 1. Bullhorn's director of security doesn't understand security. 2. They're a pain in the ass to deal with. If you're looking to help a company with their security, Bullhorn is a bad choice due to the personalities involved. 3. Never trust Bullhorn with sensitive information (SSNs, etc.). I hope that, by sharing this, I saved someone else from a headache or two. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Just Don't Use or Trust Bullhorn Scott Arciszewski (Sep 07)