Another week passes and another organisation chooses to deny a critical vulnerability in their site rather than fix it. I’m talking of course about Giggle, the social network site designed as a safe space for women to, “give girls choice, control, consent and connection”.
If you are not aware, over the last few days Saskia Coplans (@ms__chief) a security researcher at Digital Interruption attempted to disclose a serious vulnerability in the Giggle platform. It meant that an unknown, unauthenticated attacker could see:
That’s pretty much as bad as it gets for a platform like Giggle.
Sadly, Sall Grover the Giggle CEO fell in to 3 days of denial and threats against Saskia and Digital Interruption. Initially choosing to ignore the researchers, then blocking them on Twitter and starting a war of words against the security research community. Eventually 3 days later realising it wasn’t working, asked for more information and finally fixed it.
All the while the CEO denied it was an issue and even went as far as threatening Digital Interruption with legal action. This way of carrying ononly served to shine a massive ‘Streisand’ light on the problems at Giggle.
On Sep 11, 2020 Sall Grover Tweeted a conciliatory statement:
It's important to note that the flaw has since been fixed.
As mentioned, it was possible for attackers to obtain users photos, phone numbers and locations. According to Digital Interruption, the location data uncovered is from the time of sign-up, as is the photo. If you had moved or changed your appearance in the interim it did potentially reduce the risk, but not remove it entirely.
Although the flaw is fixed we don’t know how long it existed, nor do we know if anyone else exploited this while it was still vulnerable. Unless Giggle can confirm otherwise, it should be assumed if you use the service your phone number, location and photo has been compromised.
This can be distressing, especially if you are, for example, in the process of escaping an abusive relationship. Your partner could have exploited the flaw, found you signed up with your phone number and then could view your location at the time. What is not clear from the report is what changes when you have a valid account, its implied that with a phone number used at registration an attacker could look up the AccountID (or GUID in this case), which one presumes is constant, meaning an attacker could then find your username, your current location, any images you have uploaded and your current photo, among other data points.
If that is the case then Giggle should be extremely clear with users.
Here are some simple steps you can take when signing up to these type of services:
In virtually all cases security researchers are there to help. They are usually friendly, they want the best for your customers, and they aren’t looking to damage your business or make money.
We know that you have spent years building a product or service and that you are passionate about it. We totally get it.
We have done the same in building our reputation as honest, reputable security researchers. The problem is that when things are built in haste mistakes happen. Security researchers are passionate about identifying flaws that could lead to compromise of your customers.
They want to help. Ignoring them, blocking them, calling them out on Twitter, burying your head in the sand and threatening them with legal action only leads to hostility and serves no-ones cause well. This creates the effect that more people will talk about it turning what could be a positive story in to a negative press story.
No one talks about the flaws that get fixed within minutes. Everyone talks about the Twitter fall out.
My advice to Giggle and organisations on the receiving end of a vulnerability disclosure is:
We have done hundreds of disclosures. Every one is different, but in our experience its critical to put yourself in to the shoes of the person receiving the disclosure. They are likely to have never had to deal with a security researcher before, and they may not know that your intentions are genuine.
They have built their product, service, and user base over many years, then you come along and tell them that its got terrible security and that they are putting their customers at risk. How do you think they will feel about you?
I think Digital Interruption broadly did a good job, however, if you are disclosing a vulnerability to an organisation it’s important to:
The post Consumer advice: Giggle vulnerability first appeared on Pen Test Partners.