Just Don't Use or Trust Bullhorn

[Scott Arciszewski <kobrasrealm () gmail com>]

Story time, FD.

Hopefully I can save someone else from having to deal with the
frustration of dealing with Bullhorn.

March 3, 2014 - I observed that SendOuts (owned by Bullhorn) didn't
use HTTPS even though it was available, nor HSTS once someone
explicitly accessed the https://webconnect3.sendouts.com URL.

When I went to notify them on their support forums, I noticed they
were running an ancient version of phpBB. A version known to be
vulnerable to https://www.exploit-db.com/exploits/16890/ (although I
did not attempt to exploit it, because that would be reckless and
stupid).

October 23, 2014 - After months without hearing a word in response, I
decide to ping them again. This actually got the attention of their
director of support.

November 4, 2014 - After more silence, I send an email asking "Am I
clear to make a post my findings on the Full Disclosure mailing list
without fear of retributive criminal charges?"

Immediately, I get an email from "Andrew Smith | Director, Technical
Operations & Security". The conversation goes like this:

Andrew:

> I was hoping to connect with you on having your concerns addressed, C**** mentioned that these issues are currently 
> scheduled to be fixed, what else can we do to help to resolve any of these matters.

Me:

> No additional concerns; I was wondering when it would be safe to publicly disclose the concerns I sent to C**** in 
> March.
>
> Namely:
> * Lack of HSTS and/or HTTP->HTTPS rewriting (ever heard of sslstrip?)
> * Outdated phpBB as demonstrated here: http://supportforums.bullhorn.com/docs/ which has this vulnerability: 
> http://www.exploit-db.com/exploits/16890/

Andrew:

> I would like to understand your goals in doing that? Security is a major concern for us, but as you know, one that is 
> a constant fight to keep current, for any software provider, with exploits and issues as they arise. As issues arise, 
> they are prioritized, fixed and deployed. These issues have been prioritized and will be deployed  as soon as is 
> possible.
>
> I don't understand your motivation for publicly posting these issues, are you working with any of our clients at 
> present?

And then I explained the history of full disclosure as it relates to
the security industry (really boring), and he said this:

> Thanks for the details, Scott. Yes, we of course use industry standard processes for accepting, resolving and 
> notifying all of our clients of bugs, both application and security. The worry I have is that, this information is 
> delivered by us, the provider, with full explanations of the issues, to the clients themselves via bug and issue 
> tracking systems, not via public forums.
>
> Our public forums are a place where our developers and users can gain information for using and extending our 
> application, to post bug and security fixes there would be misusing the goals of that system.
>
> Thank you for letting us know about the issues and we appreciate your concern.

Finally, they agreed that fixing it is a priority and that Andrew
Smith would let me know when it's fixed so that I could go public
without fear of causing any damage to Bullhorn or its customers.

Epilogue: They updated their phpBB on November 26, 2014, but never
said a word. Liars.

The lessons here?

1. Bullhorn's director of security doesn't understand security.
2. They're a pain in the ass to deal with. If you're looking to help a
company with their security, Bullhorn is a bad choice due to the
personalities involved.
3. Never trust Bullhorn with sensitive information (SSNs, etc.).

I hope that, by sharing this, I saved someone else from a headache or two.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/