What happens when you report a vulnerability to a website and it completely ignores your request, in spite of running a bug bounty program that’s supposed to pay for disclosures?
Some hackers might just walk away, but a group of app developers in Russia chose another approach. They used the vulnerability to spam thousands of users on Russia’s largest social network.
The group, called Bagosi, develops apps that run on St Petersburg-based VKontakte (VK), a social network with over 500m users owned by Russian Internet company Mail.ru.
According to ZDNet, the group discovered a vulnerability in the social network and alerted developers there a year ago.
In a post on VKontakte, Bagosi explained that the social network ignored the bug report and didn’t pay the person that discovered it for their submission or acknowledge it in any way. This is in spite of the fact that VKontakte runs a bug bounty program with Hacker One. VK told Naked Security that the program has been running since 2015 and has paid out $250,000 in bounties. However, Hacker One also told us that the VK program is self-managed, meaning that the social network handles bug reports using its own internal teams rather than relying on Hacker One’s employees.
Bagosi decided to bring the vulnerability to users’ attention in a spectacular way. It wrote a VK post containing a script that would activate when viewed. The script posted a link to the post on any group or page that the victim managed.
Bagosi used some obfuscating tactics, according to explanatory posts that it made on VK. It accessed random reviews from the Google Play store and also randomised headlines to help dodge anti-spam filters, it said.
Clearly, VK can move quickly when it wants to. The app developers launched the attack on 14 February, and the social network shut it down quickly. A VK spokesperson told Naked Security:
Within the first minute of the vulnerability being discovered, we began deleting the undesirable posts, and within 20 minutes, the vulnerability was completely fixed.
Still, the page spread quickly before VK blocked the vulnerability. Bagosi explained in a VK post:
The page has accumulated more than 100k views. Since VK takes into account only unique views, it can be concluded that ~140k people have become “victims” of the worm.
VK had banned the group’s account from the website after detecting the spam, only reversing the ban after realising that the worm didn’t steal any user data.
Bagosi said it had done its best to report the error, but it was ignored. This raises the question: Is it ok to launch a benign proof of concept that you know will go wide, to bring a flaw to people’s attention, or should you stay quiet?
We asked Dan Kaminsky what he thought. Kaminsky is arguably the king of responsible disclosure, best known for managing to keep a major DNS flaw under wraps for months while he worked with major internet companies to introduce a fix. He said:
Benign proof-of-concepts tend not to actually manipulate production systems. This one did. That doesn’t make it malicious, but if the goal is to protect users, researchers can be friendlier.
There is a middle ground that doesn’t involve spamming thousands of people to make a point.
At these end of the day, these sorts of spats between vendors and researchers are not in the interests of user safety.