Ask HN: I know how to reset any Nexmo.com account, but nobody cares
I tried to figure out how to contact them about the security vulnerability, they don't have a dedicated site about security nor how security researchers can contact them, like Github and many others have (https://help.github.com/articles/github-security/). Which make me think about how important security is to that company, but anyway.
So I ended up writing to their general-purpose support email address describing that I've found a highly severe security vulnerability related to password resets and would like to get in touch with someone from their IT security department or similar. And here's what they replied:
"Thanks for your email - this challenge has finished already, but we appreciate you contacting us."
Wait ... this "challenge" has finished already? What the serious f*?!
So I replied and explained to them that my inquiry isn't about a "challenge" but a serious security hole on their site.
Finally, it seemed that they understood what I wanted and they replied with the following:
"Thanks for letting us know about this, as a result of your email we are investigating it internally. If we need any further information from you we will let you know."
The reply seemed a bit weird to me. Why don't just get in touch with me so I can explain the vulnerability? I respected their answer.
As of today, the security vulnerability is still present. How can you as a company just simply not even care about security and customer information?
So HN, what should I do? Just forget about it?
59 comments
[ 2.8 ms ] story [ 249 ms ] threadAlso, notify any companies that you know use the service. They may have some requests to make of the compromised company, as well.
[1]: https://hackerone.com/
On Nexmo's leadership page[0] I found their CTO, Eric Nadalin. A little LinkedIn search got me his profile[1]. Searching his name shows a lot of sites that would allow you to reach out to him (e.g. AngelList, Facebook, Twitter, etc.)
If that does not work, try reaching out to some of the companies that are Nexmo's clients. Even if Nexmo does not care, you can be sure that most of their clients will care, and they will definitely have the attention of Nexmo.
[0] https://www.nexmo.com/company/leadership/
[1] https://www.linkedin.com/in/enadalin
They either don't care or have a long list of higher-priority issues than this. Either way, nothing you can do.
Even looking for vulnerability's in software running on servers that aren't controlled by you without permission is very legally sketchy.
Whether or not you should do so or not for the good of the internet is a different argument, but you should be aware of the potential implications.
- Your website has no security page and setting this up is such a low priority that you have no ETA on when /security might exist.
- You instead use a third party service to manage your security disclosures. Yet, you don't link to this site from your website.
- A researcher tries to contact you again and again. He gets no reasonable response so after several months he posts on Hacker News.
The Hacker News post finally gets a response, yet you expect us to believe that you care about security???
Assume for the sake of argument that Nexmo is based in the UK. Using this exploit to access someone else's Nexmo.com account would be a violation of the Computer Misuse Act.
Writing a blog post detailing exactly how you achieved this would be a public admission of violating the Computer Misuse Act.
Another example: Person A publishes instructions detailing how to exploit this issue. Person B follows the steps, and causes financial harm to Nexmo. Nexmo sues Person B for exploiting their systems, and also names Person A in the lawsuit because their publication led directly to Person B's actions.
I'm not certain either of these cases would hold up in court, but there is certainly a risk that Nexmo would take the second approach. In the OP's shoes, the safest thing is not to publish. I'm not saying that's the right choice - just the safest from a legal perspective.
They then take time to repeatedly contact you with sufficient documentation and the offer for more of their time for free to walk you through it. Twice. Security consultants get paid a lot of money and this service is offered for free of charge because of some hackers curiosity.
The next step is not usually full disclosure but often, "I have written this blog post detailing the vulnerability and intend to post it in N days unless I hear from you" Then it is pretty fair game for full disclosure.
Yes there are companies that don't care about security. Often these mean that the software was built or operated by people with an agency/consulting background who care more about whether the software works.
That said, my point is moot since it's a bug in a security fix. From the other comments Nexmo is going through some growing pains as it transitions into the enterprise and their IT department is struggling with prioritization.
"Hi
I would like to inform you about a critical security vulnerability on your site.
The vulnerability allows an attacker to reset the password of an account by simply knowing the targets email address.
Please reply with a signed S/MIME message and I will precisely explain the vulnerability to you.
Kind regards, ..."
It's bad. But it's still reasonable to not assume the worse. Email the CEO or try to reach some developer on LinkedIn or Twitter.
May I suggest an email which establishes your credentials and gives a bit more details - without necessarily telling a customer service agent the full details.
For example:
> My name is Bob, I'm a security researcher at FooCorp. I've discovered a serious security vulnerability with your XYZ system. It is possible to reset customers' accounts without any authorisation. I've been able to replicate this on test account abc@123. I think this is caused by a misconfigured widget. Please can you forward this message on to your head of security. You can see my previous security work at http://....
Something like that may be more likely to get some positive attention.
I'd leave that out unless you're confident the company isn't going to screw you. Speaking from experience.
Sending a company proof that you've accessed a security hole (e.g. demonstrating it to them) can and has been prosecuted against has a hacking attempt and/or unauthorized access.
This is something every security researcher should know, and not necessarily pejorative against Nexmo in particular.
The parent was offering general advice for working with companies, and I was offering a general observation about that advice (namely, don't admit to technically-a-crime unless you know you're working with someone in good faith). Nothing personal, and it sounds like you guys have handled things professionally :-)
Edit: In particular and to clarify, my negative experience was not with your company.
Try WHOIS, you'll hopefully reach someone tech-savy enough to discuss with.
@danielhepper This was reported back in May and was since resolved. If you have any concerns please contact us at support@nexmo.com.[1]
Maybe they fixed another security issue as they never inquired about the security hole you found. Which you suggest is still present.
[1] https://twitter.com/Nexmo/status/624582630126813184
This is why I love HN.
Also, I would like to respond to the complaints that "we don't care about security". This is simply not true and we even use a bug bounty reward program. We do care and we accept reports through https://cobalt.io/ (ex CrowdCurity), so if you share with us your username/email on cobalt, we can add you to our program.
I totally agree we fucked up handling your report better back in may. I hope you are still willing to work with us!
I'm so happy I finally have a person to talk to that seems to understand me.
Thanks for providing me the link to cobalt.io. I've never heard of that platform before. I just registered. My username is sebi
I'd think it would strengthen the position that you care about security if you would dedicate a page on your site to security. Would really like to see something like that. Not only as a security researcher, but also as a customer of yours.
Depending on the application, the amount of resources you should be expending on security is often times multiple times what a naive person would expect. Security is tricky and subtle, and most people don't realize how wrong they are when it comes to doing things securely.
This is last 7 days:
http://i.imgur.com/QhyMgCX.png
They have now also added a link "Report Vulnerability" in the footer of nexmo.com linking directly to the program, making it easy for everyone to find it.
You can read more about there work with us here if you are interested: https://cobalt.io/case-studies/nexmo
(1) disclose privately (2) wait either 120 days or until the vulnz iz fxd (3) leak it 2 the world
serves them right for being a *.