Story time, FD. Hopefully I can save someone else from having to deal with the frustration of dealing with Bullhorn.
March 3, 2014 - I observed that SendOuts (owned by Bullhorn) didn't use HTTPS even though it was available, nor HSTS once someone explicitly accessed the https://webconnect3.sendouts.com URL. When I went to notify them on their support forums, I noticed they were running an ancient version of phpBB. A version known to be vulnerable to https://www.exploit-db.com/exploits/16890/ (although I did not attempt to exploit it, because that would be reckless and stupid). October 23, 2014 - After months without hearing a word in response, I decide to ping them again. This actually got the attention of their director of support. November 4, 2014 - After more silence, I send an email asking "Am I clear to make a post my findings on the Full Disclosure mailing list without fear of retributive criminal charges?" Immediately, I get an email from "Andrew Smith | Director, Technical Operations & Security". The conversation goes like this: Andrew: > I was hoping to connect with you on having your concerns addressed, C**** > mentioned that these issues are currently scheduled to be fixed, what else > can we do to help to resolve any of these matters. Me: > No additional concerns; I was wondering when it would be safe to publicly > disclose the concerns I sent to C**** in March. > > Namely: > * Lack of HSTS and/or HTTP->HTTPS rewriting (ever heard of sslstrip?) > * Outdated phpBB as demonstrated here: > http://supportforums.bullhorn.com/docs/ which has this vulnerability: > http://www.exploit-db.com/exploits/16890/ Andrew: > I would like to understand your goals in doing that? Security is a major > concern for us, but as you know, one that is a constant fight to keep > current, for any software provider, with exploits and issues as they arise. > As issues arise, they are prioritized, fixed and deployed. These issues have > been prioritized and will be deployed as soon as is possible. > > I don't understand your motivation for publicly posting these issues, are you > working with any of our clients at present? And then I explained the history of full disclosure as it relates to the security industry (really boring), and he said this: > Thanks for the details, Scott. Yes, we of course use industry standard > processes for accepting, resolving and notifying all of our clients of bugs, > both application and security. The worry I have is that, this information is > delivered by us, the provider, with full explanations of the issues, to the > clients themselves via bug and issue tracking systems, not via public forums. > > Our public forums are a place where our developers and users can gain > information for using and extending our application, to post bug and security > fixes there would be misusing the goals of that system. > > Thank you for letting us know about the issues and we appreciate your concern. Finally, they agreed that fixing it is a priority and that Andrew Smith would let me know when it's fixed so that I could go public without fear of causing any damage to Bullhorn or its customers. Epilogue: They updated their phpBB on November 26, 2014, but never said a word. Liars. The lessons here? 1. Bullhorn's director of security doesn't understand security. 2. They're a pain in the ass to deal with. If you're looking to help a company with their security, Bullhorn is a bad choice due to the personalities involved. 3. Never trust Bullhorn with sensitive information (SSNs, etc.). I hope that, by sharing this, I saved someone else from a headache or two. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
