What happened? Stripchat is a website owned by Technius Ltd. in Cyprus that hosts a large amount of aduld webcam operators. The owner has been reprimanded by the Cyprus data protection authority for a breach of over 64 million user accounts and not informing them properly about the breach. I didn’t know the website before, but on Oktober 22 2019 I get an e-mail from the website that an account has been created on this website....
TLDR: It depends. People who discover bugs and security vulnerabilities and want to improve security by publishing about their findings generally have a substantial task managing competing interests in the process. Publishing your findings can help others learn from that single mistake by installing a known patch, learning what mistakes not to make when building systems, knowing what vendors to avoid or taking other measures. However publishing can also introduce risks by informing people how to abuse vulnerabilities....
A common theme when trying to report unlawful tracking on websites and apps is that it can be ambiguous whether CVD is meant for these kinds of issues. Is it really a security vulnerability or even a breach of security? My assumption is that generally security policies dictate that security measures are in place to protect against unauthorised and unlawful disclosures of personal data. If that’s the case, when I find unlawful disclosure of personal data I assume there has been a breach of security policy or even technical measures and that it’s fair to report under CVD to allow the organisation to stop the breach and take appropriate measures to prevent further breaches....
While discussing Coordinated Vulnerability Disclosure I often experience that people strongly focus on coordinating the vulnerability information with organizations, while the disclosure part is often ignored or even actively discouraged. The last blog I wrote here was actually about a company that argued I had agreed to an enforceable non-disclosure agreement just by visiting their website and reporting a breach. Like my other CVD-related posts, this too is mainly focussed on lessons about the disclosure process....
Recently I have investigated online tracking on the websites of Dutch Political Parties. Read more about that investigation here: Dutch English Included in that investigation is my request to remove the unlawfully collected personal data. Today I received a response stating that the platform is ‘unable to action a request without verifying the identity of the requester’. While that response is more than three months too late and doesn’t request any further identification, I will assist the identification effort through this blogpost....
Vincent Manancourt of Politico has published an article including my research into unlawful online tracking on the websites of Dutch political parties.
Here is another blog about Plimus. It seems like they don’t want to communicate or fix security issues instead they continue building new features. It’s a shame that a company that handles money as a primary business doesn’t have security as a top priority. This blogpost is about a feature that I have warned Plimus about, but haven’t been able to test because a Plimus employee actively refused to give me access to this feature, even after the engineer in charge for security asked me explicitly to test and report more security problems....
It’s been a while since I have reported a few security bugs to Plimus. It took a few blogposts explaining the issues publicly before I got in contact with an engineer. I understand that making backwards incompatible changes to your customer facing API’s is not a trivial task, however the way Plimus handles these issues is just terrible. One engineer asks me for more feedback while in the same mail thread another Plimus employee demands proof I’m PCI certified and wants to know what applications I’m going to build before I get access to the test API of Plimus....
Laptops are easy to lose or steal and you don’t want any potentially sensitive data to be stolen too. For that purpose many companies now require disk encryption. The OpenBSD softraid CRYPTO discipline has grown to be a mature piece of software and since I was long due for a fresh OpenBSD installation anyway I decided to give it a try. Let’s start with the goals: No user files should be recoverable when the laptop gets lost or stolen without knowledge of my passphrase....
This morning I got a phone call from a phone number in Isreal. It was Tal, an engineer from Plimus. Tal wanted to know about the issues I had found and what solutions I had in mind. Tal also explained their plans for fixing all issues and all the issues that are involved with changing their API. I’ll be keeping an eye on Plimus to see how they are doing, but now I’m confident that someone at Plimus understands their security issues and they are working on fixing them....