Did I do the right thing disclosing the iSkoot cleartext issue? Discuss.
2 months, 1 week ago.
15 comments so far
Absolutely. People need to know when they are using insecure
software, especially when it can leak their user credentials.
iSkoot should frankly be ashamed of themselves.
i would probably have contacted them first, but no use crying
over spilled milk. let's see how they rectify the issue and you can
do a followup post about that, and include the link to the followup
from the original post.
great post btw, consumers need to be aware of it. and as long as
iSkoot learn from their mistakes and do something about it, i'm
sure consumers are willing to give them another chance.
Absolutely. Personal information and credentials being sent in
the clear like this is something all the users should be aware of
immediately. If this were some as-yet unknown attack on the
application, the argument can be made -unseccessfully, in my mind-
to give the vendor notice for some time before actual public
release.
But even in that case, I would always assume that if one person
can discover the vulnerability, so can another, more malicious
person. Users are better off with all the available knowledge,
rather than being left in the dark.
At most, a quick note to the vendor saying "hey, I am looking
into X" when you first start your research, and at least a note to
the vendor concomitant with your public release.
while users should be made aware, letting the vendor know asap
is also critical for them to react quickly and correct the wrong
(assuming they are willing to work on it). even though @phoneboy's blog will reach many
iSkoot users, if it reaches just one malicious person, that's one
too many. that person might exploit the vulnerability immediately
while most users are still deciding what to do with their
accounts.
I see both sides of the argument when the situation is an
heretofore-undisclosed attack. But for this one, the "attack" is
simply sniffing the network track. Something many, many people are
doing already, no matter where you go. As this vulnerability is
already being exploited by countless people, it is important to get
the information out as far and wide as possible. Hopefully,
Wired or CNet will pick this up soon.
Issue is being rectified. Limited to S60 version. They will
issue a new build thru a forced upgrade. Actually, the exposure
window not THAT great, but it's the principle. I had help getting
the word to the right people, too. :)
Well, what I'd do now is, test the new release when it comes
out. If they've really fixed it, then post that (including a
tcpdump snippet to show it). If somehow they don't fix it properly,
then at least you have a channel to talk to them now and say "uh,
it no workie" and give them a chance to fix it before you post
about it again.
And @cybette: the
'exploit' here is, as @bogart
says, just running a packet capture. There are many dragnets out
there, including those run by the US guberment, that would collect
this stuff straight off. Then they can log into Skype with your
credentials, set the online status to appear offline, and they'll
get all your chats/etc mirrored to them. So people need to know
this is affecting them right now. And furthermore, they
need to know to change their password immediately,
and stop using iSkoot until the update is released.
i never said not to let the consumers / users know. the original
question is whether or not the vendor should have been notified
first, and i still say yes, even if it's a "hey, here's a heads up,
i'm going to post this info on my blog right now."
and @caw yes, i know what the
exploit here is, thank you very much. you're right, users "need to
know to change their password immediately, and stop using iSkoot
until the update is released." -- it would have helped if @phoneboy's post highlighted this
simple fact. not to insult anyone's intelligence, but this
temporary solution might have escaped some in the midst of the
technical mumbo jumbo.
15 comments so far
Absolutely. People need to know when they are using insecure software, especially when it can leak their user credentials. iSkoot should frankly be ashamed of themselves.
2 months, 1 week ago by CAW.
I've sent their CEO my packet traces clearly showing the utter lack of SSL they claim to have, at least on Nokia.
2 months, 1 week ago by phoneboy.
But the issue is: should I told them first? The full vs responsible disclosure debate.
2 months, 1 week ago by phoneboy.
the badass in me says "fucking a, 0day exploits rock!" the nice guy in me says you should have emailed them before opening your mouth.
2 months, 1 week ago by constantine.
i would probably have contacted them first, but no use crying over spilled milk. let's see how they rectify the issue and you can do a followup post about that, and include the link to the followup from the original post.
great post btw, consumers need to be aware of it. and as long as iSkoot learn from their mistakes and do something about it, i'm sure consumers are willing to give them another chance.
2 months, 1 week ago by cybette.
Absolutely. Personal information and credentials being sent in the clear like this is something all the users should be aware of immediately. If this were some as-yet unknown attack on the application, the argument can be made -unseccessfully, in my mind- to give the vendor notice for some time before actual public release.
But even in that case, I would always assume that if one person can discover the vulnerability, so can another, more malicious person. Users are better off with all the available knowledge, rather than being left in the dark.
At most, a quick note to the vendor saying "hey, I am looking into X" when you first start your research, and at least a note to the vendor concomitant with your public release.
2 months, 1 week ago by bogart.
while users should be made aware, letting the vendor know asap is also critical for them to react quickly and correct the wrong (assuming they are willing to work on it). even though @phoneboy's blog will reach many iSkoot users, if it reaches just one malicious person, that's one too many. that person might exploit the vulnerability immediately while most users are still deciding what to do with their accounts.
2 months, 1 week ago by cybette.
I see both sides of the argument when the situation is an heretofore-undisclosed attack. But for this one, the "attack" is simply sniffing the network track. Something many, many people are doing already, no matter where you go. As this vulnerability is already being exploited by countless people, it is important to get the information out as far and wide as possible. Hopefully, Wired or CNet will pick this up soon.
2 months, 1 week ago by bogart.
Issue is being rectified. Limited to S60 version. They will issue a new build thru a forced upgrade. Actually, the exposure window not THAT great, but it's the principle. I had help getting the word to the right people, too. :)
2 months, 1 week ago by phoneboy.
Well, what I'd do now is, test the new release when it comes out. If they've really fixed it, then post that (including a tcpdump snippet to show it). If somehow they don't fix it properly, then at least you have a channel to talk to them now and say "uh, it no workie" and give them a chance to fix it before you post about it again.
And @cybette: the 'exploit' here is, as @bogart says, just running a packet capture. There are many dragnets out there, including those run by the US guberment, that would collect this stuff straight off. Then they can log into Skype with your credentials, set the online status to appear offline, and they'll get all your chats/etc mirrored to them. So people need to know this is affecting them right now. And furthermore, they need to know to change their password immediately, and stop using iSkoot until the update is released.
2 months, 1 week ago by CAW.
i never said not to let the consumers / users know. the original question is whether or not the vendor should have been notified first, and i still say yes, even if it's a "hey, here's a heads up, i'm going to post this info on my blog right now."
and @caw yes, i know what the exploit here is, thank you very much. you're right, users "need to know to change their password immediately, and stop using iSkoot until the update is released." -- it would have helped if @phoneboy's post highlighted this simple fact. not to insult anyone's intelligence, but this temporary solution might have escaped some in the midst of the technical mumbo jumbo.
2 months, 1 week ago by cybette.
and Dameon, i'm not discounting your efforts in any way! excellent info and followup to the whole thing. thanks.
2 months, 1 week ago by cybette.
catching this late ... you did the right thing and it's great to see they are acknowledging and fixing the problem
2 months, 1 week ago by atmasphere.
Don't worry, I'll be testing. @cybette do we have a packet capture utility for S60 devices?
2 months, 1 week ago by phoneboy.
@phoneboy: yes we do, i will email it to you
2 months, 1 week ago by cybette.