Ubiquiti Networks Covers Up Vulnerability and HackerOne Inadequate for Intervention

I’ve been away for a while.  Between my day job and long nights doing research in my personal time, I haven’t done much bug bounty work lately.  Most of what I have done is falling behind NDAs.  Though, a certain security vendor will be fixing a large number of my bugs very soon, and looks to be giving me credit.  But all that is an aside from what is bringing me back to writing.

Roughly two months ago I found a vulnerability in a subdomain belonging to Ubiquiti Networks.  This was the laughable kind of vuln.  Think, default credential bad.  But more in line with the OSCP *cough cough*.  In a nutshell, this sub domain allowed me to login as the admin user.  Disclosed finding on hackerone can be found here. See below for a screenshot of logging in as admin.

Interesting find right?  I can login as an admin user to a sub domain.  I thought it was interesting at least.  So I submit the finding.  What follows is a conversation, that may or may not be related (I cannot disclose with certainty to protect my account – so make up your own mind):

Where I’m from, weak credentials equals unauthorized access.  Regardless of what you access, you are unauthorized.  But appeals to logic and decent human nature failed me.  Perhaps some persistence?  Below, the conversation (with unconfirmed relevancy) continues, but rather one sided:

Note that at the time I write this, Ubiquiti Networks also decided this subdomain didn’t need to be present.  That’s right, they removed it in light of this finding.  Go ahead, go to nutty.ubnt.com

What are you waiting for?  Give it a shot!  It doesn’t resolve you say?  Strange timing….almost…suspicious?

OK, full disclosure.  They didn’t decide to disclose on their own.  I appealed to HackerOne to intervene (for a second time).  And hence the link to the public disclosure at the beginning of this post.  But what do they do when they finally disclose?  They explain it as:

The researcher found weak password in the site nutty.ubnt.com, but the system does not differentiate between authenticated and non-authenticated users. The researcher was not able to provide a PoC that could expose any vulnerability, so the report was closed “Informative”.

So they finally admit it was a weak password, but still will not explain how the system does not differentiate authenticated users.  Yet I showed them accounts that DO NOT authenticate.  Which breaks this argument in two.  If the site did not differentiate, then I would have gotten the same responses and functionality regardless of account used (or even anonymous as possibly claimed above, assuming it’s a relevant dialogue, which I cannot attest one way or another….).  I did not see this to be the case.

Any guesses where this leaves me?  Discredited.  Without a bounty.  And worst of all, in my opinion, unprotected by HackerOne.  Where is the mediation?  The checks and balances preventing programs from lying about the validity of findings?  I had another finding with UBNT that was RCE (using a recently released 0day no less), yet when I showed evidence, they acknowledged at first, then quickly recanted saying they were already patched.  I could not reproduce afterward.  Pointing to them correcting the issue in an attempt to bury the vuln.

I strongly encourage other bug hunters to share similar situations, as I’m sure I’m not alone.  By all means, comment here, or on twitter (#hackerone).  This has happened over a half dozen times (across multiple programs), and yet HackerOne has no protection in place for either the hackers, nor their very own platform.  Cheating us, cheats them.  Yet they do not have any means, nor any apparent interest in safeguarding ALL parties involved.

In an industry where legality is of the utmost importance, how much confidence should we hold in HackerOne if they won’t even safeguard their own bottom line?  Why would they ever step out to protect us in our efforts financially, or worse, legally?

Please comment or tweet (#hackerone).

Top 3 Ways To Fail As A Technical Recruiter

Quick disclaimer.  I am not actively looking for a new job.  I have a solid salaried gig that pays well and allows for a very accommodating work/life balance.  But that doesn’t mean I don’t still ‘collect’ contact information with solid recruiters in case the shit hits that fan.  So when I get contacted about jobs, 99% of the time I am already going to say ‘not interested’.  But politely, and I will take some time to build a bit of rapport in case I need to talk to the person again in the future.  But…this describes the idealistic scenario that rarely occurs.  The reality of what I experience with unsolicited recruiters is far from amicable.  In fact, I have begun to have an anxiety response before ever speaking to most of them.

I started asking myself, why am I so upset about people trying to find me work?  Well after a very brief examination of my experiences, a few major gripes covered almost all of my experiences with technical recruiters.  Those who are the exception to what I list below, are not only going to hear back from me if/when I am back on the market, but will easily get referrals for my friends/colleagues. If that is what you are looking for when recruiting for technical positions, then you better pay attention and take this to heart.  After asking around, I am not alone in this, and my responses are often (unbelievably) more tasteful than some of the anecdotes I have heard from friends.

 

NUMBER 1: Don’t speak clearly or effectively

A typical week for me would not be complete without roughly a half dozen unsolicited phones calls about positions. This sounds like a large amount of unrealized opportunities right?  Well, you got the unrealized part right, but not for the reasons most would think.  The reality is that nearly all phone calls I receive about new positions are completely unintelligible.

aaeaaqaaaaaaaaanaaaajdbiy2uzyzkwlwvhzgqtndc3mi1inty3ltq2yze3yjy1yjcwmgNote that this doesn’t mean I have to listen to the message two or three times to discern what is being said.  I mean literally unintelligible.  If it weren’t for the different numbers, and clearly different voices and dialects, I would think I was getting trolled or pranked.  Because I cannot understand what the majority of these callers are saying, I have just begun to ignore calls from recruiters, and if I can’t understand the first few words in the voice mail message when played back, it gets deleted outright.  A typical voicemail, and again I get about a half dozen of these a week, sounds like this:

“HHHHaslo, ez eez yeshmal galbreek <unintelligible words mixed with crumpling paper sound> position <whispered and unintelligible>”

As I was trying to write that out I just gave up trying to translate.  And that right there is the problem.  I am literally trying to translate it and the message is still not discernible.

So let me repeat that I receive at least a half dozen of these a week.  At this point, I see a number I don’t recognize and my blood pressure goes through the roof.  Stop, just STOP.

  • Don’t farm out recruiters
  • Don’t take a phone gig in a language you are not fluent
  • Do email.  It’s easy, and audio technical difficulties and accents are much less of a problem

NUMBER 2: Don’t understand the sector for which you are recruiting

This is disturbingly common.  It would appear that people get into recruiting thinking it will be easy money and most jobs are interchangeable.  Maybe that happens in other sectors, but I seriously doubt it.  And with technology I can speak with utter certainty that this isn’t the case.  Because I believe examples and metaphors are the best way to convey a concept, let’s look at a recent conversation I had.

Before I stopped accepting calls from unrecognised numbers and while I was still actively looking for work, I answered one such call and the conversation went like this:

Me:  Hello?

Caller: Good Morning Mr. <blank>, how are you this morning?

Me:  Um, I’m good…..

Caller:  That’s nice to hear! I’m calling about an amazing opportunity we have with a client, and I was wondering if you are currently looking for a new position?

Me:  Actually I am at the moment.

Caller:  Excellent!  It’s a three month contract for <company>, doing quality assurance!  I see that this kind of work is on your resume and thought you would be an amazing fit!

Me: …oh….ah….well, that was about 10 years ago, and would be a massive step back in my career.  It’s not remotely what I do now.

Caller: <a few seconds of silence>…I haven’t even gotten to the best part.  It pays $15 an hour!  That’s good money!

Me: <unable to stifle the laughter> That’s so below what my going rate I can’t…I…wow, no.

Caller: Really?!

Me:  …ah…ya.  So like I said, I did that work over 10 years ago.  I work in information security now.  I can’t even remotely entertain that kind of a step back.

Caller:  How much of a step back is that really?  I mean it’s the same kind of work.

Me:  …so I’m actually going to hang up the phone now.  I would highly advise you to research the industry a little more before cold calling people.

<I hung up>

less-is-moreFor those not in the know, pen testing is in the range of 75k to 150k depending on experience and credentials (read certifications).  At $15/hour this guy was pitching me a $30k/year job and treating it like it was the holy grail.  This is all after he failed to recognize that he was pitching a job from 10 years back in my career, and failing to recognize that what I do now is not remotely the same as what he was pitching.

If this were an isolated incident it would be a humorous anecdote at best.  But….it’s not an isolated incident.  I have had conversations like this, mostly over email now, over a dozen times.  That’s a trend folks.  A clear cut sign of laziness.  Don’t just think that he’s screwed up by pitching me a job incorrectly, but think about how this represents him as a recruiter.  He was lazy and uninformed.  Do I want that person looking for work for me?  Do I want that person representing me?  Hell no.  Don’t be this guy.

  • Don’t be lazy about reading and comprehending resumes.  A couple hours of reading about an industry can ratchet up your success rate by filtering appropriately
  • Don’t be delusional/arrogant about who you are or what you know or what you have to offer
  • Do take the time to find a solid fit, or at least approach it differently (“I see you haven’t done this in a while, but thought why not try?”, will go much further for longevity of interaction, and actually something I encountered from a recruiter with whom I still speak to this day, primarily because of using that approach)

 

NUMBER 3: Don’t recognize time zones

Assuming I come across a recruiter and there is a need to interact long term, this next one has been a major problem in the p ast.  Not so long ago I found myself looking for work with a bit of an intense drive.  I felt I needed a new position immediately and was willing to overlook several issues just to have more opportunities.  Along came one such opportunity that actually sounded great and not like I would have to settle for a lesser position just to get a pay check.9cedc5066c87efc1c09dffe668c6adf919500a34b9cb337a3afff7aa1622f6fc

The initial outreach was over linkedin and email.  After a couple messages I was handed off to a ‘lead recruiter’ to facilitate interaction with their client.  The next morning, at 5am local time, my phone began to ring.  Turns out, the recruiter is on the east coast, and I’m on the west coast.  And more importantly they did not see me as a person but a name on a list that would potentially convert into a commission.  Nothing else.  This sounds jaded and/or cynical, but the reality is that this wasn’t an isolated incident.

After apologizing to me after I enlightened him about what it meant to be 3 hours earlier, he continued to forget about the time zones no less than 3 more times over the stretch of two weeks.  The fourth incident saw no apology or recognition.  It became clear he just didn’t care, and expected everyone (me) to be at his beck and call.  I was highly motivated for a new job, and yet I told him to stop calling me.  It wasn’t worth the stress of the interaction, and more so, I realized that if he was this inattentive with me, then representing me to the client was going just as dismally.

No thanks.  Don’t need that, don’t need you if this is your mentality. Let me reiterate, I was highly motivated to find work, and was willing to risk losing the opportunity because this person was so awful.

  • Don’t expect you’re clients (on either side) to cater to you, you are the one offering a service, we are the customers, cater to us
  • Don’t treat you’re clients like expendable fodder for your bank account
  • Do think of us as what we are, people.  With lives of our own
  • Do be personable and compassionate (pretend to be a friend if you have to)