SBN

Thoughtless Vulnerability Reporting

Assume you set out to check and download your visa through the
corresponding federal agency website in a country where you’re a
foreigner. Then, amid your curious behavior, to your surprise, you
realize that you can do something you are not supposed to be able to do
on that website. It turns out that you can see and download many other
people’s visas just by making a small change at the end of the URL. What
do you think you should do in this kind of situation? To whom should you
tell this, assuming, of course, that you do not intend to be a
cybercriminal?

Well, such a scenario was recently
faced

by a foreign individual who was about to check his visa (i.e.,
identification document as a foreigner) on the Colombian electronic visa
platform. According to the Colombian news website La Silla
Vacía
(LSV) on
Twitter
,
it was on January 13 when this citizen with a fresh opportunity to
work in this South American country discovered the platform’s issue.
Specifically, this man could access a link through a QR code attached to
his digital visa. And, from there, by changing the final numbers of that
link, he could see and obtain not just his but other people’s visas on
PDF without any restriction.

Perhaps this citizen hadn’t the foggiest idea of the magnitude of the
snag. An estimated 550,000 people had their data in that vulnerable
information system at that time. Therefore, from any of them, our
individual could obtain data such as the following: photograph, full
name, date of birth, nationality, passport number, and job position. By
the way, would this man actually be the first to notice this pitfall?
How long ago did this vulnerability exist? Days, months? Questions with
no answers shared publicly so far, it seems.

Anyway, following up on what was communicated on Twitter by LSV, our
individual in question decided to write emails to the embassy, from
where he got no solution, and then to the Ministry of Foreign Affairs,
to receive no response. How the hell could that be possible? Okay, I
forget for the moment that slow request processing is easy to find in
the bureaucracy almost anywhere. Afterward, the individual allegedly
initiated communication with LSV, and they were able to witness the
security weakness on the electronic visa platform.

That day, January 15, these journalists, apart from doing so on
social networks, published on their
website

‘EVERYTHING’ that was known so far about the issue. What did they do
with their reckless conduct? They brought Christmas early for many
malicious hackers, chiefly in Latin America. LSV revealed a
cybersecurity vulnerability for which there was no implemented solution
at that time. Though censoring URLs and people’s information, they gave
a gif showing the platform error. Were they not aware of the harm they
could be doing? Or were they just hurriedly thinking about their profits
as a media outlet? Again, unanswered questions.

Nevertheless, LSV communicated by chatting the imbroglio to the
appropriate authorities at the Ministry. This entity then said to LSV
that it would soon remediate the vulnerability and, hours later,
published a terse official
bulletin

on the subject (see Figure 1). However, it seems they did not suggest
LSV remove the posts that were not far from looking like cybercrime
incentives. Data that by law is supposed to be protected was at the
mercy of many cunning individuals with obscure intentions of committing
frauds such as identity theft and extortion. The next day (I don’t know
how much time they disabled the platform service), the Technology
Directorate closed the breach, and the Ministry distributed a new
bulletin
,
only one sentence long.

Report

Figure 1. Taken from cancilleria.gov.co.

How many attackers could have taken advantage of this vulnerability?
What image of Colombia’s national security does this event provide to
foreigners? Are there
similar

problems in this government’s systems (using the same technology) that
have not been solved? Engaging questions, although I would like to keep
focused on the vulnerability reporting issue at this point.

As Oakley for
GlobeLiveMedia

said, some other people were also rejecting the publication by LSV. I
repeat: they could have been calling for cybercrime! Their behavior was
not appropriate or judicious in terms of disclosing an IT system
vulnerability. However, before that, our individual should not have gone
beyond failed communication with a couple of authorities to share his
findings with a journalistic group. As suggested by Rafael Alvarez,
Fluid Attacks' CTO, this man should have tried repeatedly to establish
a conversation with the Ministry. Finding no response or being ignored,
his next step should have been to contact an intermediary, such as the
police.

Or, in his possible ignorance of what to do, why not resort to Google?
This individual could easily have found the colCERT
website
, where people in Colombia can
report cybercrime and related incidents. (Although, for example,
Carolina
Botero
,
director of the Karisma Foundation, disqualifies this site for the
appropriate reporting of vulnerabilities.) However, already in the hands
of the media, continually looking for traffic generation, we could
hardly expect responsible handling of this kind of data. “Unfortunately
—as Rafael said—, the search for fame by newspapers or pseudo-hackers
always takes prisoner the common good, which in reality is what matters
most here.” LSV should have transmitted the event to the authorities and
then waited long enough for the problem to be resolved before publishing
the story. Those affected had to be informed in detail later, but mainly
by the organization responsible for their data storage.

Reading the
ISO/IEC 29147:2018 (about
which I may emphasize more on a future occasion), a standard concerning
‘vulnerability disclosure,’ we find the following: “The goal of
vulnerability disclosure is to reduce the risk associated with
exploiting vulnerabilities.” Reduce the risk! In the end, in this case,
none of the parties involved succeeded in doing so. It is real that the
Ministry made a mistake with its IT infrastructure that kept the data of
thousands of foreigners on exposure. But, for their part, the
journalists made the situation public, conveying an implicit message:
these people are in deep trouble, but it doesn’t matter if they get
screwed even more; the right to information (and our recognition) must
be above other principles
.

Finally, as Rafael said, opportunities for improvement for organizations
such as the Ministry arise in cases like this one where there were
technical or methodological security failures. It is also true that
companies responsible for their security should pay more attention to
the management of reports and the implementation of standards (see ISO’s
IT Security‘). In general, we
could overcome the lack of knowledge on vulnerability reporting with,
for instance, what
Botero
recommended: the establishment of an easily accessible state-coordinated
disclosure channel for the secure and transparent transmission of
information.

If you find yourself in a situation similar to that of the
aforementioned foreign citizen, do not forget the following: (1)
Accessing third parties’ sensitive data is a crime. (2) There are
intermediaries such as the police who can help. (3) Social networks
are not the right place to report a vulnerability. On the other hand,
all of us should strive to be more aware of the harm our actions can
cause to others. That would be a good start to respond to some signs of
unheeded moral principles.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/thoughtless-reporting/