| This is a well written article with many details. What caught my eye was the following. > “To exploit this, we need to go to hubspot.com, register ourselves as a HubSpot client, place a payload on our HubSpot page, and then finally trick HubSpot into serving this response on goodhire.com > ... > Cloudflare happily cached this response and served it to subsequent visitors. Inflection passed this report on to HubSpot, who resolved the issue by permanently banning my IP address. After some encouragement they also patched the vulnerability.” This made me chuckle as well as get frustrated with how most teams and organizations react to security issue reports by first going into denial. They then try shutting up or preventing the person/entity reporting the incident from accessing the system, while continuing to proceed with “business as usual” and claiming that their systems are perfect. Good that HubSpot did patch the vulnerability soon after in this case. If someone were to ask me for comments, I’d say people and organizations need to grow up, own up and work better. Such reactions show a lot of immaturity while keeping their users vulnerable. P.S.: In the Indian context, this kind of a response reminds me of UIDAI (the organization that manages the biometric based resident ID system), which is permanently in denial mode when vulnerabilities related to security and privacy in its ecosystem and all the entities that link to it are pointed out. |