Companies that want responsible disclosure should reinforce it.
Today’s post is a reminder that if you make claims on your web site that you take privacy and security very seriously and that you respond promptly to responsible disclosures, you really need to suit your actions to your words.
On July 7, Timothy French of Underdog Security contacted LG to report that they had found a MsSQL injection vulnerability in a subdomain on LGE.com. They responsibly notified LG Product Security, including proof of concept and the offer to be available to answer any questions if LG security had any follow-up questions.
LG responded positively and promptly on July 8.
And then…. nothing. No progress reports, no updates, nothing.
Underdog Security followed up by requesting updates and progress, but by one month later, the vulnerability was still unpatched and the researchers had gotten no substantive update from LG Product Security, despite the statement on LG’s site about promptly investigating reports and keeping vulnerability reporters informed at all steps in the process.
Given that the vulnerability was potentially quite serious (if I understood their analysis correctly), they reached out to DataBreaches.net to see if I could get LG to take the matter more seriously or to provide an update.
On August 6, I sent an email to LG’s media department with a cc: to Product Security. My inquiry read, in small part:
Frustrated with LG’s failure to uphold its own responsible disclosure processes, the researchers have given their findings to the media. And I am looking at their POC for a vulnerability that they claim could result in an attacker rooting your entire network and/or using the network to spread malware or phish other users.
Does LGPSRT agree with the researchers’ assessment of the critical nature of the reported vulnerability?
LG’s communications department did not respond to my inquiry, but I did receive an auto-response from Product Security:
Period : 2019/08/05 ~ 2019/08/15
LG PSRT is not available for reply during the following period due to business trip. (8/5 ~ 8/15, UTC+09:00)
LG PSRT will reply as soon as possible after returning from business trip.
We apologize for any inconvenience.
I never heard from them again — or LG’s communications department.
Ten days later, Underdog Security sent another email to LG, basically threatening full disclosure if the matter wasn’t addressed promptly after all that time. A few days later, the subdomain was removed. Underdog Security subsequently received a pretty lame explanation and apology for the delay that stated that because the involved subdomain service was not a regular service, it had been difficult to find the person in charge. For more than one month? Seriously, LG?
Commenting on the delay in resolution and whether responsible disclosure is always the route to take, Tim commented:
This vulnerability had the potential to be escalated to code execution, and yet the company took their sweet time addressing the problem. Full disclosure likely would have expedited this process immediately.
So the question you have to ask: is responsible disclosure always the right thing to do? Typically, yes. However, what if something affecting millions is left in the wild unaddressed for any period of a time going past a month, leaving staff and consumers at risk?
That’s a fair question. Recently, I have mentally criticized a number of researchers for rushing to disclosure before leaks are secured or because the researchers are trying to promote themselves or hype their findings with exaggerated headlines. We don’t need more FUD, but we do need community standards for when it is appropriate to go full disclosure if you cannot get a response or action from an entity.
In this case, LG’s web site on security issues asked researchers to disclose responsibly and to keep their findings confidential until they could be addressed. In exchange, LG said they would keep researchers apprised at all steps in the process. They didn’t. Why should any researchers take them seriously in the future? Why should anyone who is not paid to do this continue trying to help a company that keeps ignoring their own promises?
If companies want to encourage responsible disclosure, then they need to reinforce it — if not by bug bounty programs, then by at least acknowledging and responding in a timely fashion, and ideally, by publicly thanking those whitehats who have tried to help them improve their security.
I realize that I have not addressed the actual vulnerability in this matter. I am not a security professional and am only looking at the behavior and psychology of asking for responsible disclosure and then not holding up your end of an agreement.
You can read Underdog Security’s report on the vulnerability and their attempts to get it addressed in a timely fashion on zero.lol. You can follow Timothy French on Twitter @leet_sauce and @UDSec_UK.
For more information on responsible disclosures, see GDI Foundation and follow them on Twitter @GDI_FDN,