Did I do the right thing disclosing the iSkoot cleartext issue? Discuss.
1 year, 9 months ago.
15 comments so far
Absolutely. People need to know when they are using insecure software, especially when it can leak their user credentials. iSkoot should frankly be ashamed of themselves.
i would probably have contacted them first, but no use crying over spilled milk. let's see how they rectify the issue and you can do a followup post about that, and include the link to the followup from the original post.
great post btw, consumers need to be aware of it. and as long as iSkoot learn from their mistakes and do something about it, i'm sure consumers are willing to give them another chance.
Absolutely. Personal information and credentials being sent in the clear like this is something all the users should be aware of immediately. If this were some as-yet unknown attack on the application, the argument can be made -unseccessfully, in my mind- to give the vendor notice for some time before actual public release.
But even in that case, I would always assume that if one person can discover the vulnerability, so can another, more malicious person. Users are better off with all the available knowledge, rather than being left in the dark.
At most, a quick note to the vendor saying "hey, I am looking into X" when you first start your research, and at least a note to the vendor concomitant with your public release.
while users should be made aware, letting the vendor know asap is also critical for them to react quickly and correct the wrong (assuming they are willing to work on it). even though @phoneboy's blog will reach many iSkoot users, if it reaches just one malicious person, that's one too many. that person might exploit the vulnerability immediately while most users are still deciding what to do with their accounts.
I see both sides of the argument when the situation is an heretofore-undisclosed attack. But for this one, the "attack" is simply sniffing the network track. Something many, many people are doing already, no matter where you go.
As this vulnerability is already being exploited by countless people, it is important to get the information out as far and wide as possible. Hopefully, Wired or CNet will pick this up soon.
Issue is being rectified. Limited to S60 version. They will issue a new build thru a forced upgrade. Actually, the exposure window not THAT great, but it's the principle. I had help getting the word to the right people, too. :)
Well, what I'd do now is, test the new release when it comes out. If they've really fixed it, then post that (including a tcpdump snippet to show it). If somehow they don't fix it properly, then at least you have a channel to talk to them now and say "uh, it no workie" and give them a chance to fix it before you post about it again.
And @cybette: the 'exploit' here is, as @bogart says, just running a packet capture. There are many dragnets out there, including those run by the US guberment, that would collect this stuff straight off. Then they can log into Skype with your credentials, set the online status to appear offline, and they'll get all your chats/etc mirrored to them. So people need to know this is affecting them right now. And furthermore, they need to know to change their password immediately, and stop using iSkoot until the update is released.
i never said not to let the consumers / users know. the original question is whether or not the vendor should have been notified first, and i still say yes, even if it's a "hey, here's a heads up, i'm going to post this info on my blog right now."
and @caw yes, i know what the exploit here is, thank you very much. you're right, users "need to know to change their password immediately, and stop using iSkoot until the update is released." -- it would have helped if @phoneboy's post highlighted this simple fact. not to insult anyone's intelligence, but this temporary solution might have escaped some in the midst of the technical mumbo jumbo.
15 comments so far
Absolutely. People need to know when they are using insecure software, especially when it can leak their user credentials. iSkoot should frankly be ashamed of themselves.
1 year, 9 months ago by CAW
I've sent their CEO my packet traces clearly showing the utter lack of SSL they claim to have, at least on Nokia.
1 year, 9 months ago by phoneboy
But the issue is: should I told them first? The full vs responsible disclosure debate.
1 year, 9 months ago by phoneboy
the badass in me says "fucking a, 0day exploits rock!" the nice guy in me says you should have emailed them before opening your mouth.
1 year, 9 months ago by constantine
i would probably have contacted them first, but no use crying over spilled milk. let's see how they rectify the issue and you can do a followup post about that, and include the link to the followup from the original post.
great post btw, consumers need to be aware of it. and as long as iSkoot learn from their mistakes and do something about it, i'm sure consumers are willing to give them another chance.
1 year, 9 months ago by cybette
Absolutely. Personal information and credentials being sent in the clear like this is something all the users should be aware of immediately. If this were some as-yet unknown attack on the application, the argument can be made -unseccessfully, in my mind- to give the vendor notice for some time before actual public release.
But even in that case, I would always assume that if one person can discover the vulnerability, so can another, more malicious person. Users are better off with all the available knowledge, rather than being left in the dark.
At most, a quick note to the vendor saying "hey, I am looking into X" when you first start your research, and at least a note to the vendor concomitant with your public release.
1 year, 9 months ago by bogart
while users should be made aware, letting the vendor know asap is also critical for them to react quickly and correct the wrong (assuming they are willing to work on it). even though @phoneboy's blog will reach many iSkoot users, if it reaches just one malicious person, that's one too many. that person might exploit the vulnerability immediately while most users are still deciding what to do with their accounts.
1 year, 9 months ago by cybette
I see both sides of the argument when the situation is an heretofore-undisclosed attack. But for this one, the "attack" is simply sniffing the network track. Something many, many people are doing already, no matter where you go. As this vulnerability is already being exploited by countless people, it is important to get the information out as far and wide as possible. Hopefully, Wired or CNet will pick this up soon.
1 year, 9 months ago by bogart
Issue is being rectified. Limited to S60 version. They will issue a new build thru a forced upgrade. Actually, the exposure window not THAT great, but it's the principle. I had help getting the word to the right people, too. :)
1 year, 9 months ago by phoneboy
Well, what I'd do now is, test the new release when it comes out. If they've really fixed it, then post that (including a tcpdump snippet to show it). If somehow they don't fix it properly, then at least you have a channel to talk to them now and say "uh, it no workie" and give them a chance to fix it before you post about it again.
And @cybette: the 'exploit' here is, as @bogart says, just running a packet capture. There are many dragnets out there, including those run by the US guberment, that would collect this stuff straight off. Then they can log into Skype with your credentials, set the online status to appear offline, and they'll get all your chats/etc mirrored to them. So people need to know this is affecting them right now. And furthermore, they need to know to change their password immediately, and stop using iSkoot until the update is released.
1 year, 9 months ago by CAW
i never said not to let the consumers / users know. the original question is whether or not the vendor should have been notified first, and i still say yes, even if it's a "hey, here's a heads up, i'm going to post this info on my blog right now."
and @caw yes, i know what the exploit here is, thank you very much. you're right, users "need to know to change their password immediately, and stop using iSkoot until the update is released." -- it would have helped if @phoneboy's post highlighted this simple fact. not to insult anyone's intelligence, but this temporary solution might have escaped some in the midst of the technical mumbo jumbo.
1 year, 9 months ago by cybette
and Dameon, i'm not discounting your efforts in any way! excellent info and followup to the whole thing. thanks.
1 year, 9 months ago by cybette
catching this late ... you did the right thing and it's great to see they are acknowledging and fixing the problem
1 year, 9 months ago by atmasphere
Don't worry, I'll be testing. @cybette do we have a packet capture utility for S60 devices?
1 year, 9 months ago by phoneboy
@phoneboy: yes we do, i will email it to you
1 year, 9 months ago by cybette