Hacker News new | ask | show | jobs
by emilyst 922 days ago
Imagine being able to shut off all Ubiquiti console access in the world instantly, by posting about a grave security issue (real or not) and having a few compatriots to do the same in a short amount of time. You could trivially block a business's access to its own security cameras on a moment's notice, among other things.

If the response to an unverified issue were "just shut everything down" you effectively have implemented an exploitable DoS in your own incident policy.
2 comments
tw04 922 days ago
This was posted 18 hours ago. If you can't either verify the user has actual access to other people's consoles (at which point you should be immediately turning access off) in 18 hours, then you should probably just close up shop because you have no business providing remote access to a can of soup much less someone's firewall.

If the user in question was making it up, you should also have posted within minutes of discovery that the user in question (and multiple other people) were making false claims.

Again, they've chosen the "we're looking into it" route which is always reassuring.

link
kevincox 922 days ago
> If you can't either verify the user has actual access to other people's consoles [...] in 18 hours, then you should probably just close up shop

It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.

link
tw04 922 days ago
>It's impossible to prove a negative. Maybe they believe that this was user error/malice but are doing more research to confirm this and find evidence of a vulnerability.

So it's impossible for me to prove that nobody has walked through my front door today? I'm quite confident it isn't. I'm also confident if they have sane logging in place, they can prove accounts weren't being accessed by unauthorized users.

You're also talking in vagaries like they're hunting a ghost. They've been interacting with a willing end-user who originally reported the error.

link
cyral 922 days ago
I was typing exactly this when I saw your comment. This could very well be a real issue, but could also be a nefarious attack or even just incompetence. I've done support before and there are always users convinced that they are "hacked" or that we are doing something shady because they forgot their friend logged in on their device or forgot that they actually made two accounts in the past.
link