| HN Mirror

I found a XSS bug in a popular note taking app. It would allow an attacker to download all the users notes just by having them visit a URL.

I reported it on HackerOne, it was only after I refused to post it on their free program that they added me to their paid private one.

It was marked as "medium", I got $250 for it.

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L...

Do you disagree with the severity? I assess it to have a 6.5 (medium) CVSS score.

I realise it’s a medium on that scale and I cannot argue otherwise.

But I think how private that data is to the end user should also be taken into account. It’s a medium for technical risk (relative to server remote exec), but it should be seen as a high priority for the company and rewarded as such.

If an end user were to ask that company “why did you leak all my private data” their response would be “your data is worth less than $250 in human labour and is seen as a medium security risk”?

The authenticated one-click social engineering aspect of this significantly lowers exploit probability and overall risk.

This is true, but this attack could work in an Iframe in the background without that click. An attacker could buy a popular blog on the note taking app, and run the Iframe in the background collecting data for years. The bug was at least 5 years old.

CVSS is a ouija board and you can make it say whatever you want, which is why very few practitioners take it seriously.

Sure, some of it is open to interpretation, but I disagree with it not being taken seriously. This is the basis for CVEs, most bounty tables, and most audit reports (that I've seen).

I'm a practitioner, I've managed bug bounties for several companies, and spent 15 of the last 20 years doing assessment work almost exclusively, and nobody takes CVSS seriously. It doesn't say anything to point out that some people structure "bounty tables" based on CVSS, because, as I said, it's a ouija board; the actual rules for what bugs are worth are still ad hoc, they're just used to determine the CVSS instead of the price directly. And that's not a super common practice!

CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.

CVSS being used as a basis for bounty payments is certainly evidence that it is taken seriously. Of course there are details that have to be factored in after that calculation, since CVSS is simplified for general usage.

I'm not aware of any programs on HackerOne that don't follow this practice, so it's not "super uncommon".

wglb 2115 days ago

I've been in security for a while and once received a report of a CVSS score that was egregiously high at Critical.

I modified the assumptions that were made by the reporter and came out with Low.

This is one example of why this is a nonsense metric.

Any metric is nonsense if used improperly.

That's a pretty normal price for an XSS.

Dropbox and co pay $10,000 for the same exploit.

Then you should sell it to Dropbox, because $10,000 is extremely high for an XSS vulnerability.

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

Yes, that is the premise behind bug bounties. If you're a vulnerability researcher with a track record, you will probably make better money and certainly more consistent money as a pentester. Many pentesters just do both.

I have, uh, some experience with the rates here.

jansommer 2115 days ago

Damn, didn't know $1750 was low. I got something similar for reporting an exploit to Microsoft, where opening an attached ICS/calendar entry in Outlooks web client allowed me to execute arbitrary JavaScript on outlook.microsoft.com as the current user. Should have asked for more!

It sounds like you got $1750 for an XSS-equivalent attack. That's high for XSS.

ianhawes 2115 days ago

Yes... yes you should have.

dQw4w9WgXcQ 2115 days ago

I wouldn't beat yourself up over it. There's probably room to develop an exploit valuation model that better helps to translate (time spent on research) + (X% of business/customer impact), where X is a pretty low figure, otherwise companies would never stay in business.

Don't undervalue the intangible permanence of doing the right thing, character outlasts cash come the grave.

pansa2 2115 days ago

> since Electron brings XSS to the desktop, it is a hackers paradise.

Just curious - what makes XSS on the desktop different from other kinds of RCE vulnerability?

greggman3 2115 days ago

Part of this is Electron's environment and arguably fault.

Electron used to default to insecure. You were basically running a web browser except with full access your entire machine file system/camera/mic/network etc. If you are an inexperienced developer it wasn't obvious that live linking to any 3rd party code could be an issue. Electron kind of fixed that. They warn you now and default to more secure. How many devs are capable of keeping it secure is up for debate.

As a related issue, it used to be (maybe still is) that by default, links you click in Electron open in Electron. So you make any app that accepts user data and links and suddenly people are browsing the entire net in an un-secured browser.

And worse, they break stuff. I made an electron app and explicitly made it so all links open in the user's browser. I updated to a new version and then to my horror found whatever I had done to make sure links opened in an external browser stopped opening links in an external browser.

Native apps can have exploits but most native apps aren't designed to be an environment for running arbitrary code. They're only an app for working on data.

Note, I love Electron, I've used it for several projects and it's great. But I'm also afraid of it and wish OSes were themselves more sandboxed so I didn't have to worry about it.

slimsag 2115 days ago

Nothing, but if Slack was a web application and not an Electron application it would mean XSS would not immediately lead to RCE, you would need XSS and a vulnerability in the browser to get an RCE. Electron is basically that for you already: a vulnerable browser.

wereHamster 2115 days ago

I refuse to use the Slack desktop app, and use Slack only through a web browser. I trust Chrome (Google), Firefox (Mozilla), Safari (Apple) far more than the Slack engineers.

XSS isn't ordinarily RCE, and XSS is generally much more common than the attacks that do reliably give RCE. It's notable that un-hardened Electron elevates XSS to RCE, because it means there are a lot more opportunities for RCE. That's the subtext of the comment you're replying to.

a1369209993 2115 days ago

Yes it is? XSS lets you execute javascript code remotely; that's literally a subset of RCE. Are you talking about virtual machine escapes (running native machine code)?

No, that is not remotely what practitioners mean by RCE.

a1369209993 2115 days ago

"Remote Code Execution" means the attacker can Execute Code Remotely, right? I guess you could classify the virtual machine as a (virtually) separate machine from the physical one, so that it's not a RCE on the machine you actually want to attack, but it's clearly executing code on some machine that the remote attacker isn't supposed to be able to execute code on.

No. RCE is a term of art. It implies arbitrary native code execution.

0x0 2115 days ago

nodeIntegration:true

laurent92 2115 days ago

When running a security bounty, what makes me afraid is the compounding factor of finding the same kind of issue several times in different places, thereby multiplying the cost by 20. Of course $1750 is cheap, but I’d happily donate more if there is there were no risk of paying repeat bounties, given a week between them to fix each category of security failure I learn about.

By the way, the security bounty should be mandatory to display to customers. It’s like saying “We don’t value the sum of all your data of all customers to more than $1750”.

onion2k 2115 days ago

but I’d happily donate more if there is there were no risk of paying repeat bounties, given a week between them to fix each category of security failure I learn about.

A better solution would be to only allow a bug to be reported once per quarter, or once per version of the software. If someone finds a bug in v1.0 that's fixed in v1.1, then someone (even the same person) should be able to report the same bug in a different place in v1.1. That's an incentive for companies to use the report to secure the whole app rather than just fixing the reported issue.

KMag 2115 days ago

Don't bug bounties usually have some rules for splitting bounties or else paying only the first reporter in case of multiple independent discovery?

thaumasiotes 2115 days ago

It is typical that only the first reporter gets a bounty; duplicate reports are usually given "duplicate" status.

But you might have the same vulnerability found in several different places. Reports should really only be considered duplicates if the fix to one automatically fixes the other also. Your bug found in multiple locations might happen to be set up that way -- or it might not.

This exact problem occurs frequently when a company with a bounty program makes an acquisition and brings the new software into scope for the program. The acquired code is often full of relatively easy-to-find, high-impact bugs. What I've seen people do in this case is open the scope, accept a certain number of reports, and then suspend eligibility for that software for a certain period of time.

This would look like "we've had a lot of similar bugs filed against company-we-acquired.com, and we're taking that domain out of scope for X weeks while we work on it."

thaumasiotes 2114 days ago

(You could achieve exactly what laurent92 is asking for by taking an issue type ("SSRF") out of scope for a period.)

Can you support that statement about the black market with evidence?

arzel 2115 days ago

agreed on 5 figures. evidence? there’s even clearnet websites where you can buy vulns. most known would be: https://0day.today

viraptor 2115 days ago

What you see on that website is the cost, not the earnings though. If a private exploit costs $1.2k, you can get 5 digits by selling it 9 times. That isn't a huge number of sales, but I don't know if this exploit would sell that many times. Anyway, by disclosing on H1 you're "selling" at most once.

https://en.m.wikipedia.org/wiki/Market_for_zero-day_exploits

milofeynman 2115 days ago

https://en.m.wikipedia.org/wiki/Zerodium

Zerodium won't buy a Slack exploit. I'm not debating whether there is a black market for exploits; there is. It just doesn't buy most of the things HN commenters think it does.