Responsible Vulnerability Disclosure and Response Matter

Published
August 10, 2016
Type
Info notes

Introduction

Ecotricity is a green energy, UK based company known for its large network of electric vehicle charging stations. Scott Helme, a security researcher identified a vulnerability in the password reset process of the company’s mobile application. The vulnerability allowed an attacker to reset any user’s password and take over their account. Helme, responsibly disclosed the serious flaw to the company, which reacted quickly, permanently fixed the issue, and updated the application within 48 hours. This note provides an overview of the vulnerability, reminds the reader that there is no perfect security, and underscores the company’s quick reaction to the responsible vulnerability disclosure. Additionally, it highlights the importance of thorough security testing, vulnerability response readiness, and vendor vulnerability disclosure maturity.

The vulnerability in a nutshell

On a user’s password reset request, the application sends an e-mail to the user’s account with a URL to reset their password. A flaw in the application enabled an attacker to reset the password of a user's Ecotricity account without the need to have access to their e-mail account, allowing the attacker to take over any user account. Ecotricity solved the issue and released an updated version of the application with a working and flawless password reset functionality.

There is no 100% security

The security researcher who identified the vulnerability commented on the issue: “I can't help but feel that it [the app] didn't get much in the way of penetration testing prior to release”. However, a spokesperson at Ecotricity commented on Ars Technica: “Despite having the app independently security tested with an accredited organisation, there was an oversight in its development". If the application passed through security testing, it is necessary to keep in mind that there is no 100% security and security testing does not guarantee a bulletproof application. Applications may pass through several security tests but not all issues may be identified, nor all identified issues mitigated. There is always a balancing act between the security risks identified and the risks that are actually mitigated (usually the most critical ones; despite this was not the case in this particular incident). Security testing is not a silver bullet, but that does not mean it should be skipped or overlooked.

As vulnerabilities increasingly emerge in applications and web services every day, it is very important for their owners to be vigilant and well prepared, to react and mitigate them as soon as they take notice thereof. This has become imperative since it is a matter of “when” rather than “if” an incident will occur.

The prompt reaction of the company on the responsible disclosure has been duly praised. ENISA finds this case a good example of sound vulnerability response and handling,

Recommendations

Security and privacy aware systems analysts and software analysts. The software analysts responsible for writing up the application’s specifications and requirements and the systems analysts responsible for supervising this process, need to consider security and privacy at a foundational level in order to pinpoint crucial security and privacy requirements from the very beginning of the development process.

Security good practices. Software architects, engineers and developers must follow a Security Development Life Cycle (SDLC), e.g. Microsoft’s SDL, which requires the use of good security practices/guidelines in conjunction with the well-established software development lifecycle processes. Developers need to engage secure coding techniques, thoroughly check their code, and make sure they test it themselves before passing it to the testing phase.  

Thorough security testing. Penetration testers must perform thorough testing to identify critical software flaws and effectively communicate them back to the developers. A critical vulnerability such as the one in Ecotricity’s application should not have slipped through the security testing procedures.

Good team communication. Software engineers and developers should establish a good communication channel with penetration testers to make sure both sides work together, efficiently, towards producing more secure software.

Invest in security testing services. It is very important for organisations/companies that produce software to invest in accredited, experienced, and independent security testing services. This is even more crucial when important assets of an organisation/company are published online, e.g. Ecotricity published its API online.

No shortcuts on the testing phase. Project managers should avoid taking shortcuts when it comes to security testing, in order to quickly publish their application. Providing the right amount of time for every step of the software development process is very important for the overall software’s quality.

Vulnerability response readiness. Organisations/companies need to have a certain level of vulnerability response readiness as well as the related procedures in place, to be able to efficiently and effectively react to security vulnerabilities when they are reported.

Vendor vulnerability disclosure maturity. ENISA’s “Good Practice Guide on Vulnerability disclosure” recommends that vendors have a policy in place to follow when vulnerabilities are discovered and reported. Such a disclosure policy enables the organisation/company to react quickly, makes vulnerability reporting clearer and easier for security researchers, and helps to improve communication between all concerned parties.

Responsible/coordinated disclosure. Security researchers should make reasonable effort to privately contact the vendor and give them the opportunity to diagnose and fix the problem before publicly disclosing it to the public. Diagnosing and fixing the issue might require extensive testing on behalf of the organisation/company and several rounds of communication between the concerned parties. The timeline of the corrective measures need to be confirmed prior to disclosure, so that both parties coordinate their efforts and work as closely as possible for fixing the issue. Organisations/companies are strongly advised to acknowledge the researchers’ contribution and provide incentives to the researchers for following a responsible and coordinated disclosure.  

Bug bounty program. Rewarding security researchers for identifying security flaws in software and responsibly disclosing them to the company is a worthy investment for companies. A bug bounty program could be beneficial but the company needs to have all the right processes in place first (vulnerability response readiness and vendor vulnerability disclosure maturity) to be able to support it.

Conclusion

The vulnerability in Ecotricity’s application is multi-faceted. It is a critical vulnerability that should not have passed beyond the testing phase, but it highlights the importance of having the policy and procedures in place to be able to respond quickly to fix the problem once it is reported. Since it is clear that there is no such thing as 100% security, vulnerability response readiness, coordinated vulnerability disclosure, and vendor vulnerability disclosure maturity are vital as they can help to mitigate the impact of an incident.

About “Info Notes” from ENISA

With the “Info Notes” series ENISA aims to give interested readers some background information and recommendations about NIS related topics. The background information and recommendations derived from past experiences and common sense, and should be taken as starting points for discussions on possible courses of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more about the “Info Notes” series (cert-relations@enisa.europa.eu).

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more