- read

How I Discovered And Reported A Security Vulnerability To A Multi Million Dollar Company

Corey Gardner 34

Photo by FLY:D on Unsplash

One day I was on the internet and discovered a vulnerability in the API of a very big company. I cam across the login page for the API and noticed that there wasn’t any sort of captcha protecting the form. Bingo, brute force vulnerability. A brute force attack is when an attacker will guess a bunch of different user names and passwords to see if they can escalate their privileges.

We’ve all dealt with a captcha before and we probably find them to be a minor annoyance but they are very important to maintaining web application security. A captcha is just a puzzle that only a human can solve, they basically ensure that an actual human and not a bot, script or program is making the authentication request..

Naturally I wrote a python script to try a brute force attack on the site. Within a number of seconds I was able to run 2000+ requests with various usernames and passwords. My IP wasn’t flagged or banned and who ever was supposed to be analyzing the logs was asleep at the wheel.

Because I’m a good guy I decided to report this vulnerability to the company. The first thing I noticed was that they made it very hard for me to find out how to disclose vulnerabilities, but after some searching a found an email address and started writing my first vulnerability report. The report included the details of the vulnerability, how I found it, the script I used to test it and my personal security recommendations.

Obviously I recommended installing a captcha system to prevent scripts from being run. It also would’ve been smart for the company to flag and temporarily ban IP addresses with funky activity, like having a thousands of failed login attempts in just a few seconds. Locking users accounts after a number of failed login attempts wouldn’t have been a bad idea either.

Here’s the sad part, nothing was done about this massive problem. The site remains vulnerable and for all my hard work all I got was an automated email reply.

A security focused business will have an established pipeline for dealing with vulnerability disclosure and should offer a bug bounty program. It’s incredibly stingy to not offer any monetary rewards for responsibly disclosing vulnerabilities that can cause your company everything.

Automating security is a joke, you need to have some one who is on alert and ready to deal problems as they arise. Fixing vulnerabilities should be a part of each companies CI/CD pipeline.

Corey’s Corner Podcast: https://anchor.fm/coreys-corner
Gardner App Development: https://gardnerappdev.com
Get Yoked 🍳 https://thoughtsandfitness.com
Learn To Code: https://www.youtube.com/channel/UCfd8A1xfzqk7veapUhe8hLQ