Qual è la fonte di questo interessante articolo?

On Wed, 26 Feb 2020, 3:49 pm Giacomo Tesio, <giacomo@tesio.it> wrote:
When our analysts discovered six vulnerabilities in PayPal – ranging
from dangerous exploits that can allow anyone to bypass their
two-factor authentication (2FA), to being able to send malicious code
through their SmartChat system – we were met with non-stop delays,
unresponsive staff, and lack of appreciation. Below, we go over each
vulnerability in detail and why we believe they’re so dangerous.

When we pushed the HackerOne staff for clarification on these issues,
they removed points from our Reputation scores, relegating our
profiles to a suspicious, spammy level. This happened even when the
issue was eventually patched, although we received no bounty, credit,
or even a thanks. Instead, we got our Reputation scores (which start
out at 100) negatively impacted, leaving us worse off than if we’d
reported nothing at all.
[...]

# PayPal’s reputation for dishonesty

PayPal has been on the receiving end of criticism for not honoring its
own bug bounty program.

Most ethical hackers will remember the 2013 case of Robert Kugler, the
17-year old German student who was shafted out of a huge bounty after
he discovered a critical bug on PayPal’s site. Kugler notified PayPal
of the vulnerability on May 19, but apparently PayPal told him that
because he was under 18, he was ineligible for the Bug Bounty Program.

But according to PayPal, the bug had already been discovered by
someone else, but they also admitted that the young hacker was just
too young.

Another researcher earlier discovered that attempting to communicate
serious vulnerabilities in PayPal’s software led to long delays. At
the end, and frustrated, the researcher promises to never waste his
time with PayPal again.

There’s also the case of another teenager, Joshua Rogers, also 17 at
the time, who said that he was able to easily bypass PayPal’s 2FA. He
went on to state, however, that PayPal didn’t respond after multiple
attempts at communicating the issue with them.

PayPal acknowledged and downplayed the vulnerability, later patching
it, without offering any thanks to Rogers.


# The big problem with HackerOne

HackerOne is often hailed as a godsend for ethical hackers, allowing
companies to get novel ways to patch up their tools, and allowing
hackers to get paid for finding those vulnerabilities.

It’s certainly the most popular, especially since big names like
PayPal work exclusively with the platform. There have been issues with
HackerOne’s response, including the huge scandal involving Valve, when
a researcher was banned from HackerOne after trying to report a Steam
zero-day.

However, its Triage system, which is often seen as an innovation,
actually has a serious problem. The way that HackerOne’s triage system
works is simple: instead of bothering the vendor (HackerOne’s
customer) with each reported vulnerability, they’ve set up a system
where HackerOne Security Analysts will quickly check and categorize
each reported issue and escalate or close the issues as needed. This
is similar to the triage system in hospitals.

These Security Analysts are able to identify the problem, try to
replicate it, and communicate with the vendor to work on a fix.
However, there’s one big flaw here: these Security Analysts are also
active Bug Bounty Hackers.

Essentially, these Security Analysts get first dibs on reported
vulnerabilities. They have full discretion on the type of severity of
the issue, and they have the power to escalate, delay or close the
issue.

That presents a huge opportunity for them, if they act in bad faith.
Other criticisms have pointed out that Security Analysts can first
delay the reported vulnerability, report it themselves on a different
bug bounty platform, collect the bounty (without disclosing it of
course), and then closing the reported issue as Not Applicable, or
perhaps Duplicate.

As such, the system is ripe for abuse, especially since Security
Analysts on HackerOne use generic usernames, meaning that there’s no
real way of knowing what they are doing on other bug bounty platforms.
______

Sono sempre a disagio di fronte alla locuzione "hacker etico".

L'hacking è sempre una azione etica: un'etica basata sulla curiosità,
volta alla ricerca di conoscenza.

Il fatto che si qualifichi come "etica" la collaborazione con i
responsabili di una falla di sicurezza nel ritardare la diffusione
dell'informazione è in parte sintomo ed in parte causa del pessimo
livello di sicurezza nell'informatica.


Se ogni falla di sicurezza venisse subito anonimamente diffusa sui
mass media, dopo un paio di fallimenti aziendali, avremmo software
molto più sicuro.

Windows sarebbe il sistema operativo più sicuro del pianeta.
(o Microsoft non esisterebbe più...)

Invece, abbiamo HackerOne.


Giacomo
_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa