Black Hat Dylan Ayrey, a bug hunter and CEO of Truffle Security, discovered a big data company credential dump containing personal information belonging to about 50,000 of its users, and still hasn’t fixed it.
This happened while he was researching cross-site scripting (XXS) vulnerabilities, and through the disclosure and reporting process, this data passed through several third-party systems.The bug bounty platform, XXS Hunter and Gmail, among them, not to mention his own hard drive and backups.
Turns out the FAANG (Facebook, Amazon, Apple, Netflix and Google in the pre-Alphabet days) biz never disclosed the dump, and Ayrey and the third parties still have access to the sensitive data.
Ayrey detailed this bug hunting expedition onstage at the Black Hat conference in Las Vegas, and the punch line is that this isn’t an isolated experience. There’s a ton of personal data stored on researchers’ laptops and bug bounty platforms, some of which don’t require multi-factor authentication to access, Ayrey said.
“I talked to a couple of friends that I know that are pretty good bug hunters, and 100 percent of them said that their Bugcrowd accounts and Hacker One accounts are exactly the same,” he said. Once they’re logged into their accounts, researchers can access and download data associated with a now-closed vulnerability tickets.
Most bug bounty programs didn’t OK Ayrey’s requests to discuss these flaws during his Black Hat talk. Google, however, did sign off on Ayrey’s talk. And after viewing it in advance — specifically the part where Ayrey disclosed accidentally ending up with “tens of thousands of user records” after disclosing an exploit that the cloud giant later fixed — Google made some changes to its systems.
Two years after finding the bug, Ayrey said he could still log in and access all of that user data. He asked Google to delete the ticket. Nothing happened. “Until a couple of days ago, when I shared an advance copy of the slide deck with them, he said, showing an email he received in response. It said:
While the Google story had a happy ending, another similar incident ended differently. This one involved “a lot fewer user records” from a “pretty large, significant company” that had previously given Ayrey permission to name them in his session.
“And when they got an advanced copy of the slide deck, they actually changed their minds,” he said.
Why do data leaks happen?
Sometimes these data dumps happen by accident, and other times it’s intentional. Often times, companies’ vulnerability programs pay higher bounties to researchers that can prove the bug’s potential impact — such as by leaking sensitive information, Ayrey said.
This isn’t to say these programs are bad: “We do believe bug bounties are a positive force for change, and that companies that run bug bounties are in a better place than companies that don’t,” he added.
However, organizations that build bug bounties “need to be prepared for the worst,” especially if they ask security researchers to take that extra step involving user data, said attorney Whitney Merrill, Asana’s data protection officer and lead privacy counsel.
“You need to be prepared for the consequences of what that might mean for your company [and your legal obligations as a company to potentially do breach notification,” she said. In other words: it’s time to bring the legal team into the discussion.
“Think about what your end-to-end program looks like and where data might leak and consider that when you’re communicating with your stakeholders,” Merrill said. “The first time that your legal team hears about your bug bounty program should not be when you have an issue.”
Also, keep track of your data, including who has copies of it — such as third-party software providers and the bug hunters themselves. For companies that use external bug bounty platforms: “ask them to allow you to set a data retention policy to have more control over your data,” she added.
Don’t send private information over email, Merrill continued. And by all means ask the bug hunters to delete use data, and confirm that they’re not keeping it. ®