Vulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer Experts Face Backlash”. The AT&T website vulnerability is part of a growing new trend for vulnerability disclosures. As software and services move from traditional installed software to SaaS and into the cloud, more vulnerabilities are only going to exist in code running on one organization’s web server. This makes the basis for website vulnerability disclosures as beneficial somewhat different from disclosures for software that is installed on many customer devices. The first issue with vulnerabilities in code running on a website is, to do the research in the first place, the researcher needs to interact with computers that they don’t own. Traditional vulnerability research occurs on the researcher’s equipment or on equipment they have permission to use. Website research has a risk of crossing the line into unauthorized access or exceeding authorized access as defined by the CFAA (Computer Fraud and Abuse Act). What constitutes exceeding access on a public website is a bit of a gray area. On one hand, sending a large buffer to a web application that causes it to crash and execute the code of your choosing seems like exceeding authorized access. No one would ever think the application was designed to do that and clearly executing your own program is very different than interacting with a web page. But what about a web site which was designed to display the email address associated with an ID when the user enters an ID? Is it exceeding authorized access to put in a random ID and get the email address associated with it back? The website is working as its designers intended. The latter case is exactly the vulnerability (now fixed) in the AT&T website that affected iPad 3G users. Anyone who registered on the AT&T website entered their iPad’s ICC-ID and an email address. After they had registered they could return and enter just the ICC-ID and the web page would display their email address. Researchers from Goatse Security noticed this and tried entering random ICC-ID numbers into the website and discovered for valid ICC-IDs they would get the owner’s email in response. At this point Goatse Security had enough to demonstrate the vulnerability and report it to AT&T. But as is often the case when a tiny organization with little track record is reporting an issue to a huge multinational company, they gathered enough information to make the story newsworthy and got a 3rd party organization to contact the company. In fact, they harvested 114,067 email addresses. So a wrinkle to this “gray area” of exceeding authorized access may how much information is gathered. If AT&T prosecutes, as they have stated they will, we will get to find out whether this behavior exceeded authorized access in the eyes of the court. There is clearly a benefit to Goatse Security’s work. AT&T had the opportunity to fix their website before any information about the vulnerability was made public. A vulnerability that disclosed information that could have been used by criminals to target iPad owners, both over email and over the GSM network, has been remediated. Furthermore, the iPad owners have been notified and can take corrective action, such as being more vigilant to iPad targeted attacks over email or changing their ICC-ID with a new SIM card. It is hard to see any downside to their actions. They never disclosed the information they obtained to prove the vulnerability to a 3rd party and they say they have destroyed it. We need a way for researchers that discover vulnerabilities in web applications and report them without being prosecuted. As long as the owners of the web site have the opportunity to make corrections to address the vulnerability before disclosure, this will benefit users in the long run. The challenge is in determining what is an attack and what is research? When does research become exceeding unauthorized access under CFAA? These questions don’t exist for research into vulnerabilities in traditional software that is installed on a machine the researcher owns. As sensitive information moves from local machines and servers to databases and files on the internet, this information is mediated by potentially vulnerable web applications. If good faith and responsible research can’t continue to follow software as it moves from desktops and servers to the cloud then data security overall will suffer. But we shouldn’t kid ourselves and think that research alone can make an application more secure. It can point out bugs here and there, but can never make an application secure. To do that, web app developers need to test their software for security vulnerabilities before they deploy the software to the internet. A vulnerability report from a researcher is a wake-up call that security testing was inadequate. Organizations need to demonstrate to their customers that they have conducted adequate testing before they deploy their applications and certainly before they attract the attention of researchers. That is the real solution for security on the web. Unfortunately we are still in a phase where researchers need to keep demonstrating the need for more security testing.

Veracode Security Solutions
Veracode Security Threat Guides

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (5)

Andy Steingruebl | June 14, 2010 6:05 pm

To self-promote a little - some people do have website vulnerability disclosure policies that allow researchers to responsibly disclose without fear of prosecution.

Security Disclosure Policies That Remove Chilling Effects

mac | June 16, 2010 10:21 am

When is work "research" and when is it just plain "hacking"? Can anyone just claim that they did "something" in the name of science as a "researcher"?

OscarZ | June 17, 2010 10:45 am

Interesting comments.

As a long time vuln analyst, I am uncomfortable seeing Goatse here in this difficult position. I will be surprised if they do not get criminal charges. Unfortunately, we know what they did was ethical, well meaning (probably had some 'not so well meaning motives' as well, but not nasty ones)... and simply inexperienced.

This is, really, a new situation.

Best for everyone: if it is taken into consideration that the webpages were publicly accessible, and that the vendor was warned, further that no data was abused.

This sort of disclosure has been done plenty of times in the past. What is the difference here?

The political environment is one. People are increasingly impatient with the Apple-ATT romance. There has been a confluence of bad slips in this relationship recently which has raised this issue already to the surface.

Two, they did not just say, "this error is on the site". They did not just prove one access could be done. They proved well over a hundred thousand. And they sent that proof - confidential data - to journalists. Who knows where else they sent it? That forces an investigation.

Three, they grabbed the email addresses of a huge range of powerful people. People who do not necessarily grasp the meaning and context of the research, just as many journalists do not.

(Read: hyped news stories and inaccurate depictions of 'what really happened'. No one was really "hacked". It was a research discovery. As far as we know at this time.)

Four, the ipad is huge and just came out.

For us in comp sec, however, it highlights just how shoddy websites are in comparison with desktop and network applications. Further, how these two are very much entwined, regardless.

It is a sort of cloud attack.

There has to be room here for stronger pressure from the ethical research community for corporations to cover their web app bases. Just as there was and is in the full disclosure movement on applications people can lawfully pry into.

But how is this to really be done in a comparative way?

Hard problem.

Rob Lewis | June 17, 2010 9:46 pm

Nice post. A sound position to take going forward.

As Jeremiah says though, what about the 7.8 million vulnerabiltlies (plus) already out there?

Jim Jones | August 1, 2010 1:19 pm

"....what about the 7.8 million vulnerabilities (plus) already out there?"

Stop using WinBlows and Hackintosh. Require TLS 1.2 & stop all other ssl key negotiation at core routers. Require 4G..... its a start...

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.