Efficient use of Bug Bounty program is one of the most effective method used by companies to ensure the security of information and prevent data leakage. Bug Bounty program is based on the principle of rewarding security experts who find vulnerabilities in services and applications within companies specific policies and rules. This model not only enhances the safety of applications and services worth millions of dollars but also it prevents possible data leakage by removing vulnerabilities.
Hundreds of international companies who are aware of cyber security issues and gives value to its customers’ personal information are using this type of services. Companies such as Google, Microsoft, PayPal, FaceBook and Telstra Motors use Bug Bounty programs costing them millions of dollars. Amount of money payable according to the type of vulnerability provided by Google is in the following table.
Fundementals of this model is based on the good wills of security experts. Because there is always risk of being these critical vulnerabilities sold to illegal organisations, intelligence agencies or competitors for very high prices. Therefore, without abusing this method, It would be advantageous for the companies if they can manage to use it effectively. Otherwise, who will lose are only those companies with turnovers of millions of dollars and customers with violated the privacy. One should keep in mind that it is because of hackers the cyber security becomes both more secure and insecure. Although motivation is an important part of it, Bug Bounty model is a very good opportunity. It will be much more efficient for companies to allow thousands of cyber experts to examine their data security besides just handing it over to certain security services or products. In order to ensure the security, taking necessary precautions with rapid returns to incoming notices will be an efficient way.
Companies allocates huge amounts of budgets to ensure that products and services that they provide are highly secure. Because, any security breach may result in a financial loss and more importantly the company may face a prestige loss. The biggest mistake made by companies is that the precautions related to cyber security are generally dependant on products and/or brands. Note that security is both a living process and an ongoing culture in this process.
So far, I mentioned about the importance of the Bug Bounty programs to ensure the security of applications, services and products. However, from this part on I will explain what has been done by Whatsapp, who has more than 900 million active users, against the application’s vulnerabilities reported to the firm.
As a result of my security analyzes on 6th of May 2014, I have found vulnerability in a critical level on media servers (media.whatsapp.com) of Whatsapp application and in the same day I reported all details to the company’s related units even though they did not have any running Bug Bounty program. This vulnerability was causing and access to all critical areas such as “Etc/Passwd”, “/var/log/lastlog” folders on application server by using LFI (Local File Inclusion). You will only have disappointment once you would want to imagine what kind of a reward such a company with 900 millions users sold to Facebook for 19 billion dollars might give you in change of this critical vulnerability. It is hard to believe but no any reply was sent to my e-mails although weakness had been removed within one hour after sending the vulnerability notification to the company. Whatsapp company did not even concern about thanking me as a reward for this critical vulnerability which helped to ensure millions of customers’ security issues caused me to think negatively about the prestige of Whatsapp. The problem is not the company investing millions of dollars having a critical gap but the negative approach of the company.
Vulnerability: LFI (Local File Inclusion)
Video & Screenshot:
On 27 December 2015 one of our team member named “@sistemhatasi0“ were able to log into the web application on “translate.whatsapp.com” as an administrator and took control over the whole web management after performing some security analysis of the system. Due to the crucial vulnerability of the system, although our security expert informed their staff by e-mails and social media messages, It interestingly took them two days to take action.
This application is a platform with 200.000 members that enters the translation from other languages or alternatives of the texts on the application. People from all around the world with different languages translate the entered texts. Administrator basically approves the translations by checking. However you are eligible for not only approving but also to make changes in the translations which is caused by the systems’ weakness. In addition, this weakness also allows administators to reach users’ personal e-mail addresses together with social media accounts. We don’t know process of how these approved translations are reflected to the end-user. Perhaps, end-user interface may also be manipulated with those changes. So, what was this critical vulnerability of a billion dollar company’s “translate.whatsapp.com” web application used by more than 200.000 members? Unfortunately, the use of default username / password. That is, Username: “admin”, Password : “admin”.
The action has finally been taken by the company after 2 days and the following e-mail has been sent to the person who found the vulnerability.
Vulnerability: Default Password (admin/admin)
Video & Screenshot:
Those disingenuous attitudes and such behaviours neglecting the security of the customers together with 2 days delay in response will definitely create negative impact on WhatsApp company. If those vulnerabilities were to used by malicious people, Whatsapp company and its customers would unavoidably have suffered from that. This didn’t happen and any possible data leak were prevented, because all the details about vulnerabilites were shared with the company executives in both cases.. But they did not show necessary precision for those situations as much as we did, so this will definitely harm their prestige. Those company officials without any security awareness and anticipation about security issues are expected to be more harmfull for company than a malicious hacker.
We hope that company officials take necessary precautions to improve their perspective and their way to handle these security risks as soon as possbile. Otherwise, WhatsApp company and its application will definitely be a looser in information security field.