Skip to content

A Tale of Rejected Bugs

February 16, 2014

With the inception of bug bounty programs, anybody with some knowledge of application security i.e. basic understanding of common web vulnerabilities like Cross-Site Scripting, Cross-Site Request Forgery, etc. could pretty much find bugs in any website out there and while doing so, make some $$$. I mean, if I tell my mom to enter <script>alert(1)</script> in every input box out there and see if she gets a pop-up or not, even she can do it without understanding what she is doing. That’s how bad security was (it still is but is definitely improving) maybe a couple of years ago.I actually started participating in some of these programs quite late (sometime in 2013) so my experience with bug bounty programs has been slightly different. By that time, people were already listed in multiple Hall of Fames.

Needless to say, it is not the same anymore. I have realized that it can actually be quite time consuming. And, if you already have a full time job like me, then bug bounty hunting is like a new job all together. Having said that, there has suddenly been an influx of bug hunters in the InfoSec industry these days. People have been claiming themselves as “security researchers” aka “hackers” on their blogs, twitter, linkedin. They have Hall of Fame acknowledgements as Honors & Rewards in their LinkedIn profiles. I think it is getting a bit too much now. I can understand having the HoF listed in Bugcrowd’s profile page, tweeting about a bug discovered and the amount of bounty received for it but listing 20 HoF acknowledgements on LinkedIn? Are you kidding me? Oh and by the way, do you really think you are a “security researcher” just because you have discovered CSRF’s in 20 different websites? I just don’t get it. Anyways, this was a rant I had been wanting to do since a long time and I will stop here.

Getting back to the topic of the blog, these bug bounty programs, obviously come with their fair share of either duplicates or rejected bugs. I will try to cover some of the rejected bugs I have had recently.

Session Not Invalidated On Logout

This was a shocker to me when Coindrawer rejected this. I was actually surprised it even existed in the first place because I’d have thought somebody must have already reported it considering that they have been live for quite some time now. I am not going to elaborate what the vulnerability is and how it can be exploited and such but it is a pretty well known vulnerability. Every time I have reported it, it has actually been accepted and fixed because it is indeed a security vulnerability and presents considerable risk. This is what they had to say about it:

Hi Anshuman,

We currently don’t consider this to be a threat.

Thank you for your submission. We are constantly making improvements
to our site and invite you to continue to test its security.

I don’t know what to say to this. If they are really making improvements to their site, they would fix this damn thing and not just send me an email template.

 

Information Leakage 

In the ManageWP website, when you change your password, an AJAX GET request is sent to the server with the new password value as a query parameter.  Now, unlike a normal HTTP GET request, since this is an AJAX request, I do understand the argument that it is not going to be stored in browser’s history or log files. However, I have not seen this before. And, I strongly believe that sensitive information like passwords should not be sent as query parameters in a GET request. Again, no comments on this one.

Screen Shot 2014-01-25 at 1.40.35 AM

 

 

I wanted to mention a couple of more bugs but I will save it for the next post!

Advertisements

From → Security

3 Comments
  1. Yeah. I’m pretty sure the AJAX request would still get into the server’s logs. They would /definitely/ get stored in corporate proxy logs and the like.

    • not according to ManageWP. They don’t consider it as a risk.

    • Jovan permalink

      A proxy does not store this if it is a HTTPS connection. SSL does the encryption.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: