Don't invite free crowd-sourced security/penetration testing via a FireFox bug report.


ArsTechnica: Firefox gets complaint for labeling unencrypted login page insecure.

The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.

"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

I emphasized a portion of the above quote.

Unfortunately, making a statement that a web site has never been breached in 15+ years is similar to painting a bulls-eye on it. :astonished: 



A Reddit user, redditpentester, called the person who filed the bug report:

[–]redditpentester 150 points 12 hours ago* 

So. Believe it or not, his number is on the website. I just called him. He was quick to answer too. Twice, actually. Pretty surreal the first time (cannot believe the confidence some people have). All of this is from a VOIP number that shows up as "Private" so he won't be calling back or anything (for better or worse, it would probably be funny/cool). I'll type out my transcript and reply to first comment to get visibility: Him: "Hello?" "Hey, I'm looking for a user by the name of dgeorge?" Him: "I'm dev George." "When the entire internet browser ecosystem warns you that your website is insecure, why didn't you listen?" Him: "The website isn't insecure, it's very secure." "It's not. An entire professional community is talking right now about how it's not secure." Him: "No it's not, the website is fine." "I'm trying to share facts with you right now." hangs up Second call: Him: "Hello?" "Try to log into your website. I'll wait." Him: "Who is this?" "That really can't be your first priority right now, please. I'm trying to help you. Not everyone out there is. Log into your own website, it'll take just a moment and you'll see. It's all you have to do to catch up and sooner deal with being sued, being yelled at by any customers you might have, etc. Be an adult, you have to save your own a__ right now." Him: pauses "Okay..." groans ... Him: "It says server error." "Yeah and it's probably going to get worse than that. Here's the deal. I woke up today and the places I read from and the people I talk to were all discussing your website and that it's completely broken and what has happened is people found your mozilla bug report; your database table with your users and passwords has been destroyed. I can't explain too much of how or why because this is something people go to school to learn about but essentially, and I say this as a professional, your website is anything but secure. You're in a good spot all things considered because this way, the info for these accounts cannot be shared any longer. You're lucky to have your entire database destroyed. The rumor is, and I haven't verified this part, that you have credit information that is easy to retrieve as well?" Him: "No, that's not true, we have all of it sent to a secure separate location." (Probably thinking of his payment processor/third party.) "Okay, so that is good news but I will add, not sure if you're familiar with what SSL is but it says on your website that you use it. You do not. It would be very easy for someone, even with limited experience, to intercept a transaction and the card information if you were ever unlucky enough for someone to have noticed your site's vulnerabilities before today." Him: "Okay." "Okay so don't worry about me, or who I am. Just search your own information and username on Google, I wish I could link you but obviously we're over the phone. Search your own information and you will see the articles talking about your site. Alternatively, type a single quotation into your login field and you will see it's broken. I can't do much because like you, I have a job and a life to deal with but best of luck and hope it goes smoothly from here on out." Him: "Thanks, okay."

I censored the above quote.

Further down in the Reddit post is a screen capture showing that credit card information (subscription to the site is $400/year) was also submitted without encryption.

oldbooks1
Sign In or Register to comment.