“Vulnerability disclosures do take very weird turns from time to time”
Updated 16:00 BST, September 10, 2020. DI says the bug has been fixed.
Digital Interruption, a penetration testing company based in Manchester, UK, had run into a problem. Its co-founder had encountered an apparent serious security vulnerability in an application, “Giggle” (“a girls-only networking platform”) that she had downloaded, and tried to report it to the company responsible.
Digital Interruption — founded by Jahmel Harris and Saskia Coplans in 2017 — sent Giggle an initial DM, explaining that they represented a “cyber security company in the UK” and had “discovered some issues with the Giggle app.” Was there, they wondered, someone they could discuss this security vulnerability with?
Two days later, they had not received a response, so they tried Giggle publicly on Twitter, with the caveat that they “disagree with a lot of the views” of Giggle’s founder Sall Grover; a self-declared “Trans-Exclusionary Radical Feminist” (TERF).
— Digital Interruption (@DI_Security) September 8, 2020
The reply was crisply dismissive: “Negatively evaluating my views which are in favor of females when you want to talk about security on a female app is not a great way to start a business conversation. No thank you,” came the prompt response; followed with the comment that “Giggle HQ has a security team. We don’t need random Twitter people. Move along.”
The debate escalated, claims and counter-claims proliferated, and both parties were left feeling slighted, misunderstood, and mobbed. Digital Interruption’s Saskia Coplans noted: “What has been staggering is the viciousness of the gender critical and ‘pro-women’ community and how quick they are to go on the attack with so little background information, a total disregard for the safety of users… and seemingly no understanding of information security.”
Giggle founder Sall Grover meanwhile told Computer Business Review in a DM that “if you are going to write an article about this, I would hope it would be about how a company tweeted at me that they disagree with my views ‘but…’ followed by hundreds of Tweets from people calling me a transphobe and a TERF. That is the story here.”
Giggle Security Bug: An IDOR, Say Experts.
Giggle, meanwhile, doubled-down on its conviction that the bug simply does not exist. Founder Sall Grover told us: “I invited over 100 people to email Giggle HQ today and they did not. Not one…. In the meantime, Giggle’s security team was able to comb through Twitter to find out what they were saying and run tests. The claims that have been made are false, regarding both security and me being a transphobe.”
Updated: Giggle now acknowledges the bug and says it has been fixed.
*shocked Pikachu* pic.twitter.com/ukfgSXOkip
— Jay Harris (@JayHarris_Sec) September 11, 2020
The security flaw, from evidence seen by Computer Business Review, appears to a form of “insure direct objective reference” vulnerability (“IDOR”); a class of bug that lets an attacker abuse the application’s API to download data for other users.
If a user trying to retrieve their data from https://journoexample.com/account.php?id=1 can also retrieve the data of another user by calling https://journoexample.com/account.php?id=99, that, very crudely, is an IDOR bug. With Giggle, like many apps, gaining wide privileges including the biometric image used to sign-up and location data, if this is indeed the issue, it’s a serious data privacy risk.
Indeed, as Digital Interruption notes: “Giggle has sections encouraging women to find support on abortion, abuse, addiction and relationships among other categories.
“The amount of available data means that with a phone number or name, an abusive partner would potentially be able to find the location of an abused woman and confirm her identity with the verification picture. There is also a section for sex workers, who, understandably would expect any app enabling them to advertise their work to have adequate privacy and security controls. Even if a user deletes their account, that data appears to still be saved by giggle.”
(This type of bug regularly afflicts bigger outfits than Giggle. Ken Munro, from security firm Pen Test Partners, notes that cybersecurity specialist SonicWall had a “gaping hole” in its cloud firewall management API this month as the result of an IDOR . Pen Test Partners say that bug represented “a trivial method to compromise every single cloud managed device attached to mysonicwall.com, affecting around 1.9 million user groups across hundreds of thousands of organisations”. It took 14 days to patch.)
Responsible Disclosure is a Massive Headache Still
Trans rights, women’s rights, and gender politics aside, the Giggle security debate captures, once again, just how hard responsible disclosure remains.
Most companies still appear to be ill-equipped to deal with unsolicited security vulnerability disclosures. (See last year’s Atrient case for a classic example of things spiralling out of control, when a security researcher Dylan Wheeler spotted kiosks – connected to internal casino networks – communicating home via unencrypted plain text, tried to report it, and ended up embroiled with the FBI and in a public fracas..)
Awareness is growing that having a clear port of call for security disclosures is important. This is beginning to reach the public sector too. Just last week US government authorities issued a binding operational directive that forces every single organisation with a .gov domain to develop and publish a Vulnerability Disclosure Policy (VDP) and “maintain supporting handling procedures”. within 30 days.
That means setting up a “security@[example].gov contact for each domain, regularly monitoring the email address associated with it, and staffing it with personnel “capable of triaging unsolicited security reports for the entire domain.”
(While building this kind of team may be tough for smaller organisations, setting up a page on your website with a security@ email address should not…)
As one experienced penetration testor, Orange Cyberdefense’s Charl van der Walt, told Computer Business Review: “I would think that a business that works with this kind of information [like Giggle] should have a formal, resourced and practiced process in place to respond to vulnerability disclosure, and I think the [Digital Interruption] is right in saying that (politics aside) their clients would’ve expected them to respond seriously and formally according to their defined processes.”
Ken Munro thinks Digital Interruption got it wrong by making overtures on Twitter. With the caveat that “I think the team at DI are doing amazing work, but vulnerability disclosures do take very weird turns from time to time” he notes that making contact via Twitter was probably the wrong approach, as was mentioning their position on Sall Grover’s views.
He said: “It’s common to find that social media teams don’t understand how to handle vulnerability reports. In my personal experience these are often ignored or put to one side as ‘don’t know what to do with this’ and there is no escalation process they’re aware of. I’ve switched to starting disclosures via LinkedIn, as the initial communications are less visible than a security asking a vendor publicly if they can DM… Second, I believe it was a mistake for DI to reference personal views in the public tweet. I don’t think anyone would perceive their attempt to disclose as an endorsement of the Giggle founder’s views. We’ve found vulnerabilities in some vendors whose activities we found quite distasteful, but one shouldn’t let that get in the way of the end objective, which is having the vuln fixed and protecting their customers.”
What are your views on this disclosure? What’s the oddest experience you’ve had trying to disclose? Let us know.