I’ve been away for a while. Between my day job and long nights doing research in my personal time, I haven’t done much bug bounty work lately. Most of what I have done is falling behind NDAs. Though, a certain security vendor will be fixing a large number of my bugs very soon, and looks to be giving me credit. But all that is an aside from what is bringing me back to writing.
Roughly two months ago I found a vulnerability in a subdomain belonging to Ubiquiti Networks. This was the laughable kind of vuln. Think, default credential bad. But more in line with the OSCP *cough cough*. In a nutshell, this sub domain allowed me to login as the admin user. Disclosed finding on hackerone can be found here. See below for a screenshot of logging in as admin.
Interesting find right? I can login as an admin user to a sub domain. I thought it was interesting at least. So I submit the finding. What follows is a conversation, that may or may not be related (I cannot disclose with certainty to protect my account – so make up your own mind):
Where I’m from, weak credentials equals unauthorized access. Regardless of what you access, you are unauthorized. But appeals to logic and decent human nature failed me. Perhaps some persistence? Below, the conversation (with unconfirmed relevancy) continues, but rather one sided:
Note that at the time I write this, Ubiquiti Networks also decided this subdomain didn’t need to be present. That’s right, they removed it in light of this finding. Go ahead, go to nutty.ubnt.com
What are you waiting for? Give it a shot! It doesn’t resolve you say? Strange timing….almost…suspicious?
OK, full disclosure. They didn’t decide to disclose on their own. I appealed to HackerOne to intervene (for a second time). And hence the link to the public disclosure at the beginning of this post. But what do they do when they finally disclose? They explain it as:
The researcher found weak password in the site
nutty.ubnt.com, but the system does not differentiate between authenticated and non-authenticated users. The researcher was not able to provide a PoC that could expose any vulnerability, so the report was closed “Informative”.
So they finally admit it was a weak password, but still will not explain how the system does not differentiate authenticated users. Yet I showed them accounts that DO NOT authenticate. Which breaks this argument in two. If the site did not differentiate, then I would have gotten the same responses and functionality regardless of account used (or even anonymous as possibly claimed above, assuming it’s a relevant dialogue, which I cannot attest one way or another….). I did not see this to be the case.
Any guesses where this leaves me? Discredited. Without a bounty. And worst of all, in my opinion, unprotected by HackerOne. Where is the mediation? The checks and balances preventing programs from lying about the validity of findings? I had another finding with UBNT that was RCE (using a recently released 0day no less), yet when I showed evidence, they acknowledged at first, then quickly recanted saying they were already patched. I could not reproduce afterward. Pointing to them correcting the issue in an attempt to bury the vuln.
I strongly encourage other bug hunters to share similar situations, as I’m sure I’m not alone. By all means, comment here, or on twitter (#hackerone). This has happened over a half dozen times (across multiple programs), and yet HackerOne has no protection in place for either the hackers, nor their very own platform. Cheating us, cheats them. Yet they do not have any means, nor any apparent interest in safeguarding ALL parties involved.
In an industry where legality is of the utmost importance, how much confidence should we hold in HackerOne if they won’t even safeguard their own bottom line? Why would they ever step out to protect us in our efforts financially, or worse, legally?
Please comment or tweet (#hackerone).