Penalized for Responsible Disclosure

While researching a new attack vector (presented in BSides SG 2022), my associate and I discovered a misconfiguration in one of the Big Four’s guest wifi networks. Let’s call this company FacePalm. The implication is that FacePalm isn’t the only party impacted; many of its customers are also affected.

Without going into the technical details, we received all sorts of traffic from the network, ranging from NTLM hashes to certain HTTP and internal file share traffic. We’re talking about hundreds of unique clients (the ones that had a “weak” configuration on their endpoints as well), if not more.

As part of responsible disclosure, we spared no time in reporting to FacePalm. They had no Bug Bounty nor Vulnerability Disclosure programmes. Heck, there wasn’t even a security email address on their website. We wrote in to their general inbox — as a matter of fact, thrice but did not get any response.

On the other hand, we wrote in to the affected companies as much as we could, depending on the channels they offer. For companies offering a bug bounty programme, that was our obvious choice, and we got payouts for several of them. Interestingly, a gaming company complained to the bug bounty platform, citing that we were withholding information on the identity of FacePalm (which led to this bug discovery) and thus breaking platform rules. Talk about balancing responsible disclosure on both ends!

Fast-forward, FacePalm has a cybersecurity practice (the irony) that reached out and presented a pitch on a prospective project for which we’re (my company) calling for proposals. Finally, someone who talks security, I thought! I reached out to that partner of FacePalm after the pitch, told him about the vulnerability and exposure affecting his company and clients, and wrote him a detailed email citing the vector, exposure, and remediation steps. Sure, it’s been over a year since we first attempted to get FacePalm’s attention, but better late than never. That partner of FacePalm assured me that he would work with the security operations team to resolve this. I was glad.

Until I got a notice the following week from AWS that my services were suspended because I was hosting “phishing” (which is not even close) content on their service. Enraged, I looped in that partner, who said he would get to the bottom while claiming they weren’t the ones who reported to AWS. The funny thing is that while AWS wouldn’t disclose who reported this to them (and mind you, my service had been running for 2 years without problems then), the moment I provided email evidences of my responsible disclosure to FacePalm, AWS resolved that case and allowed me to resume my service.

You might be wondering where that proposal from FacePalm ended up. Since then, we’ve not had any business with FacePalm. The lack of professionalism is appalling. I’ve disassociated their domain and released it to the internet, open to whoever wants to do whatever with it.

Lesson learnt against going the extra mile.